ci: bump actions to Node-24 majors + dependabot (mirror from rewrite-microsandbox)

This commit is contained in:
Evgeny Boger 2026-05-25 14:27:42 +03:00
parent f5bacb5f41
commit c87d9bfb99
3 changed files with 33 additions and 9 deletions

24
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,24 @@
# Automatic version bumps for the action pins in .github/workflows/.
# Without this, action majors silently drift behind — we hit exactly
# that with the Node 20 → 24 cutover (every action on Node 20 had a
# Node-24-on major already shipped but we were pinned to the older
# major).
#
# Submodule and Rust dep updates intentionally NOT enabled here —
# bumping vendor/microsandbox needs a careful audit (patched msb +
# libkrunfw kernel-config invariants), and Rust dep bumps are
# better handled by `cargo update` runs we drive manually.
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
commit-message:
prefix: "ci"
labels:
- "dependencies"
- "github-actions"

View file

@ -50,10 +50,10 @@ jobs:
echo "tag=$(date -u +%Y-%m-%dT%H)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v4
- name: Log in to GHCR
uses: docker/login-action@v3
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -61,7 +61,7 @@ jobs:
- name: Build and push
id: build
uses: docker/build-push-action@v6
uses: docker/build-push-action@v7
with:
context: images
file: images/Dockerfile
@ -101,7 +101,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Prune image versions older than 14 days
uses: actions/github-script@v7
uses: actions/github-script@v9
with:
script: |
const owner = context.repo.owner;

View file

@ -88,7 +88,7 @@ jobs:
libcap-ng-dev libdbus-1-dev libsqlite3-dev pkg-config
- name: Cache cargo registry + target
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
@ -206,7 +206,7 @@ jobs:
chmod +x "$dst/agent-vm" "$dst/msb"
- name: Upload platform artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: agent-vm-${{ matrix.platform }}
path: npm-dist/agent-vm-${{ matrix.platform }}/
@ -225,7 +225,7 @@ jobs:
registry-url: 'https://registry.npmjs.org'
# Download each platform artifact into its own subpackage
# directory explicitly. `actions/download-artifact@v5` with
# directory explicitly. `actions/download-artifact@v8` with
# `pattern:` + a single matched artifact does NOT wrap it in a
# subdir (the v5 behaviour change vs v4) — files land flat at
# the `path:` root. Downloading by exact `name:` into a
@ -237,13 +237,13 @@ jobs:
# checkout; the artifact carries bin/ + lib/ on top of it.
# download-artifact will create missing parents.
- name: Download linux-x64 artifact
uses: actions/download-artifact@v5
uses: actions/download-artifact@v8
with:
name: agent-vm-linux-x64
path: npm-dist/agent-vm-linux-x64/
- name: Verify artifact layout + restore executable bits
# `actions/upload-artifact@v4` packs files into a zip that
# `actions/upload-artifact@v7` packs files into a zip that
# doesn't preserve POSIX permissions. After download, the
# binaries land as 0644 — npm publishes them as-is and users
# get EACCES on first invocation. Restoring +x here is the