Background
GitHub Actions has deprecated Node 20 in favor of Node 24 as the runtime for JavaScript actions. Actions whose action.yml declares runs.using: node20 will emit deprecation warnings and eventually fail to execute on hosted runners. Older runtimes (node16, node12) have already had hard cutoffs in the past and any references to them should be considered urgent.
Our own supported-version/action.yml is already on node24 (good). The third-party actions we depend on need to be audited and bumped where a node24-capable release is available.
Current runtime per pinned reference
Verified by reading each action.yml at the pinned ref:
| Action |
Pinned to |
Runtime |
Used in |
dorny/paths-filter |
v2 |
node16 ⚠️ |
coding-standard-baseline/action.yml |
tj-actions/changed-files |
v39 |
node20 |
setup-di-compile/action.yml |
google-github-actions/release-please-action |
v4 |
node20 |
.github/workflows/release-please.yml |
shivammathur/setup-php |
v2 |
node24 ✅ (floating tag was updated upstream — no action needed) |
setup-magento, unit-test, coding-standard-baseline, setup-di-compile, several workflows |
php-actions/composer |
v6 |
composite (no JS runtime) |
nx-integration-tests-setup/action.yml |
Also on node16 (covered by #363)
The actions/*@v3 pins covered in #363 are also on node16, not just behind on majors:
actions/checkout@v3 (used in supported-services-matrix-calculator, setup-di-compile)actions/cache@v3 (used in cache-magento, nx-integration-tests-setup, unit-test)actions/cache/save@v3 (used in nx-integration-tests-setup)
Bumping those to v4/v6 per #363 clears the last node16 references from this repo.
Special case: tj-actions/changed-files@v39
tj-actions/* was compromised in March 2025 (CVE-2025-30066) — any pin to a tag-based version in that namespace is risky regardless of node runtime. This action should be either:
- Replaced (e.g.
dorny/paths-filter already covers a similar use case elsewhere in this repo, so consider consolidating), or
- Re-pinned to a verified-clean commit SHA.
Acceptance
Related
Background
GitHub Actions has deprecated Node 20 in favor of Node 24 as the runtime for JavaScript actions. Actions whose
action.ymldeclaresruns.using: node20will emit deprecation warnings and eventually fail to execute on hosted runners. Older runtimes (node16, node12) have already had hard cutoffs in the past and any references to them should be considered urgent.Our own
supported-version/action.ymlis already onnode24(good). The third-party actions we depend on need to be audited and bumped where a node24-capable release is available.Current runtime per pinned reference
Verified by reading each
action.ymlat the pinned ref:dorny/paths-filterv2coding-standard-baseline/action.ymltj-actions/changed-filesv39setup-di-compile/action.ymlgoogle-github-actions/release-please-actionv4.github/workflows/release-please.ymlshivammathur/setup-phpv2setup-magento,unit-test,coding-standard-baseline,setup-di-compile, several workflowsphp-actions/composerv6nx-integration-tests-setup/action.ymlAlso on node16 (covered by #363)
The
actions/*@v3pins covered in #363 are also on node16, not just behind on majors:actions/checkout@v3(used insupported-services-matrix-calculator,setup-di-compile)actions/cache@v3(used incache-magento,nx-integration-tests-setup,unit-test)actions/cache/save@v3(used innx-integration-tests-setup)Bumping those to
v4/v6per #363 clears the last node16 references from this repo.Special case:
tj-actions/changed-files@v39tj-actions/*was compromised in March 2025 (CVE-2025-30066) — any pin to a tag-based version in that namespace is risky regardless of node runtime. This action should be either:dorny/paths-filteralready covers a similar use case elsewhere in this repo, so consider consolidating), orAcceptance
dorny/paths-filterbumped to a release on node24 (or current node20 if node24 isn't yet available upstream)tj-actions/changed-files@v39is replaced or SHA-pinnedgoogle-github-actions/release-please-actionbumped to a node24 release if/when availableRelated
actions/*references for version consistency #363 — bumping outdated first-partyactions/*dependencies (also clears node16 references)