From c87d9bfb99d261b7f31c971ae27f237fcf294889 Mon Sep 17 00:00:00 2001 From: Evgeny Boger Date: Mon, 25 May 2026 14:27:42 +0300 Subject: [PATCH] ci: bump actions to Node-24 majors + dependabot (mirror from rewrite-microsandbox) --- .github/dependabot.yml | 24 ++++++++++++++++++++++++ .github/workflows/build-image.yml | 8 ++++---- .github/workflows/release-npm.yml | 10 +++++----- 3 files changed, 33 insertions(+), 9 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..37f380c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,24 @@ +# Automatic version bumps for the action pins in .github/workflows/. +# Without this, action majors silently drift behind — we hit exactly +# that with the Node 20 → 24 cutover (every action on Node 20 had a +# Node-24-on major already shipped but we were pinned to the older +# major). +# +# Submodule and Rust dep updates intentionally NOT enabled here — +# bumping vendor/microsandbox needs a careful audit (patched msb + +# libkrunfw kernel-config invariants), and Rust dep bumps are +# better handled by `cargo update` runs we drive manually. + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + commit-message: + prefix: "ci" + labels: + - "dependencies" + - "github-actions" diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index b2a049d..13d679f 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -50,10 +50,10 @@ jobs: echo "tag=$(date -u +%Y-%m-%dT%H)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -61,7 +61,7 @@ jobs: - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: images file: images/Dockerfile @@ -101,7 +101,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Prune image versions older than 14 days - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const owner = context.repo.owner; diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml index dc121c9..7fc75b7 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release-npm.yml @@ -88,7 +88,7 @@ jobs: libcap-ng-dev libdbus-1-dev libsqlite3-dev pkg-config - name: Cache cargo registry + target - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -206,7 +206,7 @@ jobs: chmod +x "$dst/agent-vm" "$dst/msb" - name: Upload platform artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: agent-vm-${{ matrix.platform }} path: npm-dist/agent-vm-${{ matrix.platform }}/ @@ -225,7 +225,7 @@ jobs: registry-url: 'https://registry.npmjs.org' # Download each platform artifact into its own subpackage - # directory explicitly. `actions/download-artifact@v5` with + # directory explicitly. `actions/download-artifact@v8` with # `pattern:` + a single matched artifact does NOT wrap it in a # subdir (the v5 behaviour change vs v4) — files land flat at # the `path:` root. Downloading by exact `name:` into a @@ -237,13 +237,13 @@ jobs: # checkout; the artifact carries bin/ + lib/ on top of it. # download-artifact will create missing parents. - name: Download linux-x64 artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v8 with: name: agent-vm-linux-x64 path: npm-dist/agent-vm-linux-x64/ - name: Verify artifact layout + restore executable bits - # `actions/upload-artifact@v4` packs files into a zip that + # `actions/upload-artifact@v7` packs files into a zip that # doesn't preserve POSIX permissions. After download, the # binaries land as 0644 — npm publishes them as-is and users # get EACCES on first invocation. Restoring +x here is the