Skip to content

chore(deps): bump 5 actions to node24 + add dependabot.yml#1

Merged
homelabforge merged 2 commits into
mainfrom
chore/node24-action-bumps
May 9, 2026
Merged

chore(deps): bump 5 actions to node24 + add dependabot.yml#1
homelabforge merged 2 commits into
mainfrom
chore/node24-action-bumps

Conversation

@homelabforge
Copy link
Copy Markdown
Owner

@homelabforge homelabforge commented May 9, 2026

Summary

  • Bumps the 5 remaining node20-runtime actions to node24 majors (verified via action.yml using: field at each pinned SHA)
  • Adds .github/dependabot.yml so future action bumps land via auto-PR (this repo previously had no dependabot — explains why these stale node20 pins survived)

Action bumps (all runtime-only, no API breaks)

Action Was Now
docker/build-push-action v6 v7.1.0
docker/login-action v3 v4.1.0
docker/setup-buildx-action v3 v4.0.0
softprops/action-gh-release v2 v3.0.0
dependabot/fetch-metadata v2.4.0 v3.1.0

Each major release notes confirm: only breaking change is dropping Node 20. GitHub-hosted runners are well past the required Actions Runner v2.327.1.

Why now

  • 2026-06-02 — Node 24 becomes runner default, node20-pinned actions get force-bumped (mostly transparent).
  • 2026-09-16 — Node 20 removed from runners; runs.using: node20 actions hard-fail.

Consumer follow-up

After tagging v1.3.0, consumer repos must bump their uses: ...@v1.x.x references:

  • mygarage (v1.2.0/v1.1.0)
  • tidewatch (v1.1.0)
  • vulnforge (v1.1.0)
  • familycircle (v1.1.0)
  • myhealth (v1.1.3)

Test plan

  • CI passes on this PR
  • After tagging v1.3.0, run a publish workflow on a consumer (e.g. tidewatch tag) to verify docker/build-push v7 + setup-buildx v4 work end-to-end on GHCR push
  • Verify GitHub Release creation still works (action-gh-release v3 — same env-based GITHUB_TOKEN usage we already have)

🤖 Generated with Claude Code

@homelabforge
chore(deps): bump 5 actions to node24 + add dependabot.yml
fd6442f 
GitHub Actions runners deprecate Node 20 on 2026-09-16. The five
remaining node20-runtime actions in this repo's reusable workflows
all have current major releases on node24:

- docker/build-push-action       v6      → v7.1.0
- docker/login-action            v3      → v4.1.0
- docker/setup-buildx-action     v3      → v4.0.0
- softprops/action-gh-release    v2      → v3.0.0
- dependabot/fetch-metadata      v2.4.0  → v3.1.0

All five major bumps are runtime-only — no API breaks. Verified each
action's pinned SHA exposes `using: node24` in its action.yml.

Also adds .github/dependabot.yml so future action bumps land via
auto-PR rather than requiring a manual sweep before each runner
deprecation cutoff.

Consumers must bump their `uses:` tag to the next shared-workflows
release (v1.3.0) to inherit these changes.
@homelabforge
fix(ci): silence shellcheck SC2034 in pg-migrations wait loop
4063e82 
Loop counter `i` is unused — only the iteration count matters.
Switch to `_` so shellcheck stops flagging it. This was failing
actionlint on main since the pg-migrations PR (cca23cd).
@homelabforge homelabforge merged commit 5d150a3 into main May 9, 2026
1 check passed
@homelabforge homelabforge deleted the chore/node24-action-bumps branch May 9, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@homelabforge