Skip to content

ci: future-proof action versions + stop no-op .github redeploys#22

Merged
cgoulart35 merged 3 commits into
masterfrom
ci-hygiene
Jun 13, 2026
Merged

ci: future-proof action versions + stop no-op .github redeploys#22
cgoulart35 merged 3 commits into
masterfrom
ci-hygiene

Conversation

@cgoulart35

Copy link
Copy Markdown
Owner

Two bits of CI hygiene you asked for.

1. Future-proof action versions (Node 20 → 24)

All five CI actions are flagged for the 2026-06-16 Node 20 forced migration. Bumped to latest Node-24 majors:

action from to
actions/checkout v4 v6
actions/setup-python v5 v6
docker/setup-buildx-action v3 v4
docker/login-action v3 v4
docker/build-push-action v6 v7

2. Skip redeploys for .github/-only pushes

Add ^\.github/ to the changes filter. Why it's safe (your concern): it only suppresses the build when every changed file is under .md/.claude//.github/ — all inert at runtime (baked in via COPY . . but never read by the app), exactly like the .md exclusion you already rely on. Any push that also touches real code (src, Dockerfiles, requirements, scripts, compose) still builds and deploys. No runtime-affecting change is ever suppressed.

Notes

  • This PR won't redeploy on merge — it includes the new filter, which excludes its own .github/-only diff. Clean.
  • Coverage: this PR's test/audit exercise the checkout/setup-python bumps directly. The docker-action bumps live in publish, which only runs on a real deploy — so they're first exercised on your next code-change merge (low risk: these majors are the official Node-24 releases). Rollback is a one-line revert.
  • This PR will get a real Claude review (it doesn't touch claude-review.yml) — first non-throwaway run.

🤖 Generated with Claude Code

Future-proofing ahead of the 2026-06-16 Node 20 forced migration: bump all CI actions to their latest Node-24 majors -- checkout v4->v6, setup-python v5->v6, setup-buildx v3->v4, login v3->v4, build-push v6->v7.

Also add ^\.github/ to the 'changes' filter so workflow/CI-config-only pushes skip the image build + Pi redeploy, consistent with the existing .md/.claude exclusions (all are baked into the image via 'COPY . .' but are inert at runtime). Mixed pushes that also touch real code still build, so no redeploy that changes runtime behavior is suppressed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review: ci: future-proof action versions + stop no-op .github redeploys

Filter logic — correct and safe. The regex (\.md$|^\.claude/|^\.github/) anchors properly; mixed pushes (real code + .github/) still get code=true; the empty-diff edge case falls through to code=false as expected. The self-exclusion-on-merge behaviour described in the PR is accurate.

Action versionsactions/checkout@v6 is already in use in claude-review.yml in this repo, confirming it exists. The remaining bumps (setup-python@v6, docker actions) are consistent with the Node 24 migration but can't be independently verified here; per the PR notes they'll be exercised on the next real-code deploy (low blast radius, easily reverted).

Security — SHA pinning (pre-existing, good time to fix): every action uses a mutable version tag (@v4, @v6, etc.). If the tag is later moved to malicious code the next CI run is silently compromised. docker/login-action@v4 is the highest-risk instance — it receives GITHUB_TOKEN with packages: write, giving an attacker the ability to push poisoned images to GHCR and therefore the production Pi. Best practice is to pin to the full commit SHA with the version as a comment (docker/login-action@<sha> # v4). See inline comment.

Minor / pre-existing: the audit job has no needs: changes guard and runs on every push including docs-only ones. Not a regression here, but a cheap fix while the file is open.

Comment thread .github/workflows/ci.yml
Our ci.yml change added ^\.github/ to the 'changes' gate, so update the CLAUDE.md + README descriptions of the docs-only skip to include .github/ (CI-config-only pushes now skip publish/redeploy too). Also add a CLAUDE.md note documenting the new claude-review.yml auto-review workflow: CLAUDE_CODE_OAUTH_TOKEN auth, comments-only, and the merge-first caveat for workflow edits.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review: ci: future-proof action versions + stop no-op .github redeploys

Clean CI hygiene PR. The action version bumps address the 2026-06-16 Node 20 forced migration and the .github/ filter extension is logically correct (the regex and fallback for first-push / non-push events both work). No runtime code is affected. One documentation inaccuracy flagged inline.

Comment thread CLAUDE.md Outdated
Add 'if: !github.event.pull_request.draft' to the review job so draft PRs don't spend Pro usage on WIP; add 'ready_for_review' to the triggers so a review fires when a draft is marked ready (opened/synchronize already ran while it was a draft and were skipped).

Docs: note drafts are skipped, and sharpen the 'fails its own review' explanation to attribute it to the action's backend workflow-validation (401), since a reviewer misread the prior wording as a GitHub execution-model claim.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cgoulart35
cgoulart35 merged commit 332f28e into master Jun 13, 2026
4 of 5 checks passed
@cgoulart35
cgoulart35 deleted the ci-hygiene branch June 13, 2026 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant