fix: upgrade all workflows to Node.js 24 (checkout@v5) and add missing permissions#38
Conversation
…mentation-check.yml
…obs in security-checks.yml
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e4e3122ce8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Allow write scope before posting CODEOWNERS PR comments
The codeowners-check job now restricts GITHUB_TOKEN to contents: read, but a later step calls github.rest.issues.createComment when protected paths are changed. On those PRs, this call requires write permission to issues/pull requests and will fail with an authorization error, turning the check red instead of posting the guidance comment.
Useful? React with 👍 / 👎.
Summary
This PR fixes all 8 GitHub Actions workflow files across the repo. It resolves the Node.js 20 deprecation warning (
actions/checkout@v4→@v5) and closes all 6 open CodeQL security alerts (Workflow does not contain permissions).Changes
Node.js 24 upgrade (
actions/checkout@v4→@v5)analytics-runner.ymldocker-publish.ymldocker-ci.ymldocumentation-check.yml(both jobs)policy-enforcement.ymlrelease.yml+softprops/action-gh-release@v1→@v2scheduled-validation.ymlsecurity-checks.yml(all 3 jobs)Structural fixes
docker-ci.yml— added missingcheckoutstep, fixed step order (Buildx must be set up before build)policy-enforcement.yml— added missingon:trigger andjobs:block (file was invalid YAML)security-checks.yml— added missinguses:lines for all 3 checkout stepsSecurity / CodeQL alerts resolved
permissions: contents: readto every job that was missing itFiles changed
.github/workflows/analytics-runner.yml.github/workflows/docker-ci.yml.github/workflows/docker-publish.yml.github/workflows/documentation-check.yml.github/workflows/policy-enforcement.yml.github/workflows/release.yml.github/workflows/scheduled-validation.yml.github/workflows/security-checks.yml