Skip to content

chore: bump GHA major versions (checkout v3→v6, login-action v2→v4, build-push v4→v7)#73

Merged
SyniRon merged 2 commits into
developfrom
chore/gha-major-bumps
May 19, 2026
Merged

chore: bump GHA major versions (checkout v3→v6, login-action v2→v4, build-push v4→v7)#73
SyniRon merged 2 commits into
developfrom
chore/gha-major-bumps

Conversation

@SyniRon

@SyniRon SyniRon commented May 19, 2026

Copy link
Copy Markdown
Collaborator

Summary

Bundles three Dependabot major-version bumps for the release-only build_and_push workflow into one PR:

  • actions/checkout v3 → v6 — Node 24 default runtime, persists credentials to $RUNNER_TEMP instead of git config (requires Actions Runner v2.329.0+)
  • docker/login-action v2 → v4 — Node 24 default runtime (requires Runner v2.327.1+)
  • docker/build-push-action v4 → v7 — Node 24 default runtime, default SLSA provenance attestations since v5, v7 removed deprecated DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS env vars (neither used here)

What to watch for

GitHub-hosted ubuntu-latest runners always meet the runner-version floors.

Provenance attestations bundle into the image manifest by default since docker/build-push-action@v5. Watchtower compares digests so the auto-rotation flow on traycer is unaffected. If the manifest size ever becomes a concern, set provenance: false on the build-push step.

The workflow only fires on release: published so the real-world validation is the next release tag cut. No production impact from the merge itself.

Test plan

  • Diff inspected — three uses: line changes, no other YAML touched
  • First post-merge release tag fires the workflow successfully (validation deferred to next release per the standing deferred-release call)

Supersedes #55, #56, #57 — closing those after this merges.

🤖 Generated with Claude Code

SyniRon and others added 2 commits May 19, 2026 19:46
…uild-push v4→v7)

Bundles three Dependabot major-version bumps for the release-only
build_and_push workflow:

- actions/checkout v3 → v6 (Node 24; requires Runner v2.329.0+)
- docker/login-action v2 → v4 (Node 24; requires Runner v2.327.1+)
- docker/build-push-action v4 → v7 (Node 24; default SLSA provenance
  attestations since v5; v7 removed deprecated DOCKER_BUILD_NO_SUMMARY
  and DOCKER_BUILD_EXPORT_RETENTION_DAYS env vars — neither used here)

GitHub-hosted ubuntu-latest meets all runner-version floors. Provenance
attestations land in the manifest by default; Watchtower compares
digests so the auto-rotation flow is unaffected.

Supersedes #55, #56, #57.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
go.yml runs Build + Lint on every push (real CI on PRs — Dependabot
was actually bumping these v1 call sites, not the v3 in
build_and_push.yml which I caught first).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@SyniRon SyniRon merged commit 0cf5fd5 into develop May 19, 2026
2 checks passed
@SyniRon SyniRon deleted the chore/gha-major-bumps branch May 19, 2026 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant