From 04aa56a865d816263f3045792f17df72fd48dd8c Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 10:50:24 +0100
Subject: [PATCH] ci(bluebuild): pin actions to node20-safe tags

forgejo-runner v6.4.0 javascript runtime is node20. Pin every
javascript action used in the spike branch's workflows to the last
release that ships node20.

- actions/checkout v4 -> v4.1.7 (3 files)
- softprops/action-gh-release v2 -> v2.0.4 (build-iso)
- anchore/sbom-action v0 -> v0.17.2
- actions/attest-build-provenance v2 -> v2.2.3
- blue-build/github-action@v1 unchanged (TODO: SHA pin)

This is the spike-branch counterpart of the main-branch fix in
feat/runner-fix-docker-sock-and-node20.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-bluebuild.yml | 12 +++++++++---
 .github/workflows/build-iso.yml       | 10 +++++++---
 .github/workflows/lint.yml            |  9 ++++++---
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index 951ba35..e07785a 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -48,7 +48,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7
 
       - name: Free up disk
         run: |
@@ -85,7 +87,10 @@ jobs:
 
       - name: SBOM (SPDX)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0 tag confirmed to ship on node20. The `@v0`
+        # floating tag rolls forward and will eventually pull a node24
+        # release. TODO(infra): SHA pin in a follow-up sweep.
+        uses: anchore/sbom-action@v0.17.2
         with:
           image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
           format: spdx-json
@@ -93,7 +98,8 @@ jobs:
 
       - name: Build provenance attestation
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: actions/attest-build-provenance@v2.2.3
         with:
           subject-name: ${{ env.OCI_IMAGE }}
           subject-digest: ${{ steps.bluebuild.outputs.digest }}
diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 8a5fc2e..7e14fc1 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -30,7 +30,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7
 
       - name: Free up disk
         run: |
@@ -199,7 +201,8 @@ jobs:
 
       - name: Publish to ci-latest rolling prerelease
         if: success() && github.ref == 'refs/heads/main'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
         with:
           tag_name: ci-latest
           name: "ci-latest (auto)"
@@ -233,7 +236,8 @@ jobs:
 
       - name: Attach to release on tag
         if: github.event_name == 'release'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
         with:
           files: |
             build/out/*.iso
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ee790bd..51a4bd0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,7 +12,8 @@ jobs:
     container:
       image: registry.fedoraproject.org/fedora:43
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - run: dnf -y install pykickstart
       - run: ksvalidator kickstart/veilor-os.ks
 
@@ -20,7 +21,8 @@ jobs:
     name: Shell scripts
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - uses: ludeeus/action-shellcheck@master
         with:
           severity: warning
@@ -30,7 +32,8 @@ jobs:
     name: No personal/onyx leaks
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - name: Grep for leaks
         run: |
           set -e
-- 
2.45.2