Problem
The release.yml workflow run for v0.2.17 (run 26447314533) emitted a Node.js 20 deprecation annotation on three pinned actions:
| Action |
Current pinned SHA |
Tag at pin time |
actions/checkout |
34e114876b0b11c390a56381ad16ebd13914f8d5 |
v4 |
actions/setup-python |
a26af69be951a213d495a4c3e4e4022e16d87065 |
v5 |
docker/login-action |
c94ce9fb468520275223c153574b00df6fe4bcc9 |
(recent) |
The annotation reads:
Node.js 20 actions are deprecated. … Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026.
These actions are also used across ci.yml, security.yml, pr-title.yml, branch-protection.yml, eval-nightly.yml, changelog-prestage.yml, changelog-rollup.yml, release-drafter.yml, pin-freshness-audit.yml, artifact-cleanup.yml, and codeql.yml. The same SHAs likely appear in .github/actions/setup-uv-python/action.yml and other composite actions — scope confirmation needed.
Proposed solution
- Identify all SHAs pinned to Node-20-only releases. A grep over
.github/workflows/**/*.yml and .github/actions/**/*.yml for the three SHAs above is the floor; the existing weekly pin-freshness-audit workflow may already be flagging these as documented-tag-re-tagged.
- Bump each to a Node-24-compatible SHA of the corresponding action — verify upstream releases (
actions/checkout ≥ v5, actions/setup-python ≥ v6, docker/login-action post-Node24 release) before pinning. Keep the trailing # vN.M.P tag comment per docs/DEVELOPMENT.md#action-pinning-policy.
- Re-run a release-style workflow locally via
workflow_dispatch (e.g. eval-nightly.yml) to verify no warnings remain.
Acceptance criteria
Priority rationale
Hard deadline 2026-06-02 (≈one week from issue filing). On that date, runners force Node-24 unconditionally; if any of the pinned action versions don't support Node-24, the workflows break. The follow-up removal on 2026-09-16 is a second forcing function. Cheap, well-scoped change — the existing pin-freshness audit machinery is exactly what makes this easy to verify.
Problem
The
release.ymlworkflow run for v0.2.17 (run 26447314533) emitted a Node.js 20 deprecation annotation on three pinned actions:actions/checkout34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-pythona26af69be951a213d495a4c3e4e4022e16d87065docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9The annotation reads:
These actions are also used across
ci.yml,security.yml,pr-title.yml,branch-protection.yml,eval-nightly.yml,changelog-prestage.yml,changelog-rollup.yml,release-drafter.yml,pin-freshness-audit.yml,artifact-cleanup.yml, andcodeql.yml. The same SHAs likely appear in.github/actions/setup-uv-python/action.ymland other composite actions — scope confirmation needed.Proposed solution
.github/workflows/**/*.ymland.github/actions/**/*.ymlfor the three SHAs above is the floor; the existing weeklypin-freshness-auditworkflow may already be flagging these as documented-tag-re-tagged.actions/checkout≥ v5,actions/setup-python≥ v6,docker/login-actionpost-Node24 release) before pinning. Keep the trailing# vN.M.Ptag comment perdocs/DEVELOPMENT.md#action-pinning-policy.workflow_dispatch(e.g.eval-nightly.yml) to verify no warnings remain.Acceptance criteria
.github/workflows/and.github/actions/# vN.M.P) updated to match the new SHAspin-freshness-auditafter the bump — output should be cleanPriority rationale
Hard deadline 2026-06-02 (≈one week from issue filing). On that date, runners force Node-24 unconditionally; if any of the pinned action versions don't support Node-24, the workflows break. The follow-up removal on 2026-09-16 is a second forcing function. Cheap, well-scoped change — the existing pin-freshness audit machinery is exactly what makes this easy to verify.