Background
While auditing the workflows and composite actions in this repo, I noticed wide major-version drift in the first-party actions/* dependencies. Most of these have new majors available with security fixes, smaller bundle sizes, and updated Node runners.
Findings
| Action |
Versions currently in use |
Latest |
actions/cache |
v3, v4 |
v4 |
actions/cache/restore |
v4 |
v4 |
actions/cache/save |
v3 |
v4 |
actions/checkout |
v3, v4, v6 |
v6 |
actions/upload-artifact |
v4 |
v4 |
Files where the older versions appear:
cache-magento/action.yml — actions/cache@v3nx-integration-tests-setup/action.yml — actions/cache@v3, actions/cache/save@v3unit-test/action.yml — actions/cache@v3supported-services-matrix-calculator/action.yml — actions/checkout@v3setup-di-compile/action.yml — actions/checkout@v3.github/workflows/_internal-get-composer-version.yaml — actions/checkout@v4.github/workflows/_internal-get-magento-version.yaml — actions/checkout@v4.github/workflows/_internal-integration.yaml — actions/checkout@v4.github/workflows/_internal-semver-compare.yaml — actions/checkout@v4.github/workflows/_internal-setup-magento.yaml — actions/checkout@v4.github/workflows/_internal-unit.yaml — actions/checkout@v4.github/workflows/_internal_test_actions.yaml — actions/checkout@v4.github/workflows/full-integration-tests.yaml — actions/checkout@v4.github/workflows/integration.yaml — actions/checkout@v4, actions/cache@v4, actions/upload-artifact@v4- (
_internal-coding-standard.yaml and sansec-ecomscan.yml already use actions/checkout@v6)
Proposed change
Standardize on the latest major across the repo:
actions/cache → v4 everywhere (including the cache/save and cache/restore sub-paths)actions/checkout → v6 everywhereactions/upload-artifact → already on v4
Why
- Reduces the surface area of the GitHub Actions allowlist consumers need to maintain (one major per action instead of three).
- Pulls in updated Node runtimes and any security fixes that have shipped in newer majors.
- Makes future audits (like this one) trivially mechanical.
Out of scope
Third-party actions (shivammathur/setup-php, dorny/paths-filter, tj-actions/changed-files, etc.) — those will be handled in a separate issue covering the Node 20 → Node 24 migration.
Background
While auditing the workflows and composite actions in this repo, I noticed wide major-version drift in the first-party
actions/*dependencies. Most of these have new majors available with security fixes, smaller bundle sizes, and updated Node runners.Findings
actions/cachev3,v4v4actions/cache/restorev4v4actions/cache/savev3v4actions/checkoutv3,v4,v6v6actions/upload-artifactv4v4Files where the older versions appear:
cache-magento/action.yml—actions/cache@v3nx-integration-tests-setup/action.yml—actions/cache@v3,actions/cache/save@v3unit-test/action.yml—actions/cache@v3supported-services-matrix-calculator/action.yml—actions/checkout@v3setup-di-compile/action.yml—actions/checkout@v3.github/workflows/_internal-get-composer-version.yaml—actions/checkout@v4.github/workflows/_internal-get-magento-version.yaml—actions/checkout@v4.github/workflows/_internal-integration.yaml—actions/checkout@v4.github/workflows/_internal-semver-compare.yaml—actions/checkout@v4.github/workflows/_internal-setup-magento.yaml—actions/checkout@v4.github/workflows/_internal-unit.yaml—actions/checkout@v4.github/workflows/_internal_test_actions.yaml—actions/checkout@v4.github/workflows/full-integration-tests.yaml—actions/checkout@v4.github/workflows/integration.yaml—actions/checkout@v4,actions/cache@v4,actions/upload-artifact@v4_internal-coding-standard.yamlandsansec-ecomscan.ymlalready useactions/checkout@v6)Proposed change
Standardize on the latest major across the repo:
actions/cache→v4everywhere (including thecache/saveandcache/restoresub-paths)actions/checkout→v6everywhereactions/upload-artifact→ already onv4Why
Out of scope
Third-party actions (
shivammathur/setup-php,dorny/paths-filter,tj-actions/changed-files, etc.) — those will be handled in a separate issue covering the Node 20 → Node 24 migration.