From 5e246e517caa3fc198685ee9d0e994ea69a349ba Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Thu, 12 Mar 2026 11:45:01 +0100 Subject: [PATCH 1/2] Upgrade GitHub Actions to Node 24 compatible versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - actions/checkout v4 → v5 - aws-actions/configure-aws-credentials v4 → v5 - hashicorp/setup-terraform v3 → v4 - actions/upload-artifact v4 → v6 - actions/download-artifact v4 → v5 Node 20 actions are deprecated and will stop working June 2, 2026. --- .github/workflows/approve-override.yml | 4 ++-- .github/workflows/build-jvm.yml | 4 ++-- .github/workflows/build-ts.yml | 2 +- .github/workflows/commit-terraform.yml | 6 +++--- .github/workflows/detect.yml | 2 +- .github/workflows/docker-build.yml | 4 ++-- .github/workflows/eb-deploy.yml | 4 ++-- .github/workflows/ecs-deploy.yml | 4 ++-- .github/workflows/expand-terraform.yml | 4 ++-- .github/workflows/plan-review.yml | 4 ++-- .github/workflows/platform-ci.yml | 26 +++++++++++++------------- .github/workflows/tf-apply.yml | 8 ++++---- .github/workflows/tf-plan.yml | 8 ++++---- 13 files changed, 40 insertions(+), 40 deletions(-) diff --git a/.github/workflows/approve-override.yml b/.github/workflows/approve-override.yml index f78e832..b8eeba3 100644 --- a/.github/workflows/approve-override.yml +++ b/.github/workflows/approve-override.yml @@ -37,12 +37,12 @@ jobs: runs-on: ubuntu-latest environment: override-approval steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: sparse-checkout: scripts - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-override-approver aws-region: ${{ env.AWS_REGION }} diff --git a/.github/workflows/build-jvm.yml b/.github/workflows/build-jvm.yml index c055236..fb62d5c 100644 --- a/.github/workflows/build-jvm.yml +++ b/.github/workflows/build-jvm.yml @@ -16,7 +16,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: actions/setup-java@v4 with: @@ -29,7 +29,7 @@ jobs: - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: test-results path: "**/target/surefire-reports/*.xml" diff --git a/.github/workflows/build-ts.yml b/.github/workflows/build-ts.yml index ac1e7e7..c03e08d 100644 --- a/.github/workflows/build-ts.yml +++ b/.github/workflows/build-ts.yml @@ -16,7 +16,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: pnpm/action-setup@v4 with: diff --git a/.github/workflows/commit-terraform.yml b/.github/workflows/commit-terraform.yml index 875c19c..ec726bc 100644 --- a/.github/workflows/commit-terraform.yml +++ b/.github/workflows/commit-terraform.yml @@ -27,7 +27,7 @@ jobs: commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: ref: ${{ github.ref }} @@ -35,7 +35,7 @@ jobs: id: check run: echo "has_yaml=$(test -f app.yaml && echo true || echo false)" >> "$GITHUB_OUTPUT" - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 if: steps.check.outputs.has_yaml == 'true' with: terraform_version: "1.7" @@ -52,7 +52,7 @@ jobs: - name: Checkout platform scripts if: steps.check.outputs.has_yaml == 'true' - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/detect.yml b/.github/workflows/detect.yml index 0c81571..20bfccd 100644 --- a/.github/workflows/detect.yml +++ b/.github/workflows/detect.yml @@ -41,7 +41,7 @@ jobs: has_cdk: ${{ steps.check.outputs.has_cdk }} app_name: ${{ steps.check.outputs.app_name }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Detect repo contents id: check diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index d2239a4..28127da 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -38,10 +38,10 @@ jobs: image_uri: ${{ steps.push.outputs.image_uri }} image_tag: ${{ steps.tags.outputs.primary_tag }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/eb-deploy.yml b/.github/workflows/eb-deploy.yml index 473a326..e319f2d 100644 --- a/.github/workflows/eb-deploy.yml +++ b/.github/workflows/eb-deploy.yml @@ -27,10 +27,10 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml index 8879ba7..c1280cb 100644 --- a/.github/workflows/ecs-deploy.yml +++ b/.github/workflows/ecs-deploy.yml @@ -41,7 +41,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} @@ -50,7 +50,7 @@ jobs: path: .platform - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/expand-terraform.yml b/.github/workflows/expand-terraform.yml index 9e8610f..aaded55 100644 --- a/.github/workflows/expand-terraform.yml +++ b/.github/workflows/expand-terraform.yml @@ -27,7 +27,7 @@ jobs: expand: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: ref: ${{ github.ref }} @@ -40,7 +40,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/plan-review.yml b/.github/workflows/plan-review.yml index 29670bf..6cd48b2 100644 --- a/.github/workflows/plan-review.yml +++ b/.github/workflows/plan-review.yml @@ -41,7 +41,7 @@ jobs: private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }} owner: javaBin - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} @@ -50,7 +50,7 @@ jobs: path: platform - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/platform-ci.yml b/.github/workflows/platform-ci.yml index f32a518..097a842 100644 --- a/.github/workflows/platform-ci.yml +++ b/.github/workflows/platform-ci.yml @@ -45,15 +45,15 @@ jobs: plan_text_key: ${{ steps.upload.outputs.plan_text_key }} plan_sha256: ${{ steps.upload.outputs.plan_sha256 }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -82,7 +82,7 @@ jobs: - name: Upload Lambda ZIPs as artifact if: steps.plan.outputs.has_changes == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: lambda-zips path: ${{ env.TF_ROOT }}/lambdas/builds/ @@ -106,9 +106,9 @@ jobs: outputs: risk_level: ${{ steps.review.outputs.risk_level }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -147,14 +147,14 @@ jobs: needs.plan.outputs.has_changes == 'true' environment: production steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -166,7 +166,7 @@ jobs: run: sh scripts/check-risk-block.sh "$RISK" /javabin/slack/platform-override-alerts-webhook "https://github.com/${{ github.repository }}/actions/workflows/approve-override.yml" - name: Download Lambda ZIPs from artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: lambda-zips path: ${{ env.TF_ROOT }}/lambdas/builds/ @@ -195,14 +195,14 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'schedule' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} diff --git a/.github/workflows/tf-apply.yml b/.github/workflows/tf-apply.yml index bced35c..1489001 100644 --- a/.github/workflows/tf-apply.yml +++ b/.github/workflows/tf-apply.yml @@ -34,9 +34,9 @@ jobs: env: PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false @@ -50,7 +50,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} @@ -59,7 +59,7 @@ jobs: # Step 1: Lightweight OIDC role — can only invoke gate Lambda + read S3 - name: Configure gate credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-apply-gate aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml index 3fab0d8..1d05fd0 100644 --- a/.github/workflows/tf-plan.yml +++ b/.github/workflows/tf-plan.yml @@ -41,15 +41,15 @@ jobs: env: PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} @@ -63,7 +63,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} From 6490b0a0dc5f027c607e79a84537452dba110034 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Thu, 12 Mar 2026 11:55:16 +0100 Subject: [PATCH 2/2] Trigger platform CI on workflow file changes --- .github/workflows/platform-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/platform-ci.yml b/.github/workflows/platform-ci.yml index 097a842..788d64e 100644 --- a/.github/workflows/platform-ci.yml +++ b/.github/workflows/platform-ci.yml @@ -7,11 +7,13 @@ on: - 'terraform/platform/**' - 'terraform/lambda-src/**' - 'scripts/**' + - '.github/workflows/**' pull_request: paths: - 'terraform/platform/**' - 'terraform/lambda-src/**' - 'scripts/**' + - '.github/workflows/**' schedule: # Drift detection — Monday 06:00 UTC - cron: '0 6 * * 1'