ci: update GitHub Actions to latest versions

[d0wn3d]

Issue being fixed or feature implemented

Fixes the Github Actions annotation warnings.

Node.js 20 actions are deprecated. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Please check if updated versions of these actions are available that support Node.js 24.

What was done?

• Updated all GitHub Actions to latest versions:

  • actions/checkout: v4 → v6
  • actions/cache: v4 → v5
  • actions/cache/restore: v4 → v5
  • actions/cache/save: v4 → v5
  • actions/upload-artifact: v4 → v6
  • actions/download-artifact: v4 → v8
  • docker/setup-buildx-action: v3 → v4
  • docker/login-action: v3 → v4
  • docker/build-push-action: v6 → v7
  • docker/buildx: v4 → v5
  • docker/metadata-action: v6 → v7
  • docker/build-push-action: v6 → v7
  • docker/setup-qemu-action@v3 → v4
  • mshick/add-pr-comment@v2 → v3

• Replaced deprecated actions/attest-build-provenance@v1

  • Now uses actions/attest@v4

As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.
Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead. By default, this generates a SLSA build provenance attestation.

More info at: https://github.com/marketplace/actions/attest-build-provenance

How Has This Been Tested?

Not tested.

Breaking Changes

Upgrading to actions/checkout@v6 actions/github-script@v8 actions/cache@v5 can break CI on self-hosted labels unless the runner fleet is already updated: checkout v6, cache v5, github-script v8, requires Actions Runner v2.327.1+, and actions/checkout@v6 release notes also call out v2.329.0+ for persisted-credential access in containerized git scenarios.

Checklist:

Go over all the following points, and put an x in all the boxes that apply.

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

[github-actions]

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 404447cb91

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Gate checkout v6 behind runner-version readiness

Upgrading this step to actions/checkout@v6 can break CI on self-hosted labels unless the runner fleet is already updated: checkout v6 requires Actions Runner v2.327.1+, and its release notes also call out v2.329.0+ for persisted-credential access in containerized git scenarios. This workflow runs in a container and later performs authenticated git fetch, so older blacksmith/custom runners selected by runs-on inputs can fail after this change; either keep v5 until runner minimums are enforced or add an explicit runner-version gate.

Useful? React with 👍 / 👎.

[d0wn3d]

v2.329.0 was released in October 2025. Blacksmith should use the latest runners, or at least >v2.329.0

https://github.com/actions/runner/releases/tag/v2.329.0

[coderabbitai]

Walkthrough

This pull request updates GitHub Actions across many .github/workflows files, primarily bumping action versions: actions/checkout → v6, actions/cache → v5, docker/setup-buildx-action → v4, docker/login-action → v4, docker/build-push-action → v7, actions/upload-artifact → v6, actions/download-artifact → v8, and actions/attest-build-provenance → actions/attest@v4. Most workflows are only version upgrades with no control-flow changes. cache-depends-sources.yml additionally adds restore-keys, lookup-only: true, and a conditional download-sources step that runs on cache miss.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating GitHub Actions to latest versions, which aligns directly with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description clearly explains the purpose (fixing GitHub Actions deprecation warnings), lists all updated actions with version numbers, and provides context about breaking changes and testing status.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

Code Review

The PR correctly updates most GitHub Actions to their latest versions across the main CI workflows. Three workflow files were missed entirely (release_docker_hub.yml, clang-diff-format.yml, merge-check.yml), the PR description lists incorrect target versions (v5) for upload-artifact (actually v6) and download-artifact (actually v8), and the attestation action was swapped from a SLSA-specific action to a general-purpose one that may produce different attestation output.

Reviewed commit: 404447c

🟡 3 suggestion(s)

1 additional finding

🟡 suggestion: Three workflow files were not updated

.github/workflows/release_docker_hub.yml (lines 13-65)

release_docker_hub.yml, clang-diff-format.yml, and merge-check.yml still use old action versions.

• release_docker_hub.yml: actions/checkout@v3, docker/setup-buildx-action@v2, docker/login-action@v2, docker/build-push-action@v3, actions/github-script@v6, docker/metadata-action@v4
• clang-diff-format.yml: actions/checkout@v3 (line 12)
• merge-check.yml: actions/checkout@v3 (line 17)

These should be updated for consistency with the rest of the CI workflows. release_docker_hub.yml is the most outdated, with 6 actions behind the versions used in the updated files.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `.github/workflows/release_docker_hub.yml`:
- [SUGGESTION] lines 13-65: Three workflow files were not updated
  `release_docker_hub.yml`, `clang-diff-format.yml`, and `merge-check.yml` still use old action versions.

- **release_docker_hub.yml**: `actions/checkout@v3`, `docker/setup-buildx-action@v2`, `docker/login-action@v2`, `docker/build-push-action@v3`, `actions/github-script@v6`, `docker/metadata-action@v4`
- **clang-diff-format.yml**: `actions/checkout@v3` (line 12)
- **merge-check.yml**: `actions/checkout@v3` (line 17)

These should be updated for consistency with the rest of the CI workflows. `release_docker_hub.yml` is the most outdated, with 6 actions behind the versions used in the updated files.

In `.github/workflows/test-src.yml`:
- [SUGGESTION] line 42: PR description lists wrong target versions for upload-artifact and download-artifact
  The PR description states `upload-artifact: v4 → v5` and `download-artifact: v4 → v5`, but the code uses `upload-artifact@v6` (build-src.yml:168, guix-build.yml:143, test-src.yml:77) and `download-artifact@v8` (test-src.yml:42). Both are the correct latest versions and are cross-compatible — the description just needs updating to match.

In `.github/workflows/guix-build.yml`:
- [SUGGESTION] lines 149-152: attest-build-provenance replaced with different action (actions/attest)
  This is not a version bump — `actions/attest-build-provenance@v1` was replaced with `actions/attest@v4`, which is a different action. The former specifically generates SLSA Build L1 provenance attestations (predicate type `https://slsa.dev/provenance/v1`). The general-purpose `actions/attest` may require an explicit `predicate-type` input to produce equivalent output. Without it, the attestation format could differ from what was previously generated, potentially affecting downstream provenance verification. Verify that `actions/attest@v4` with only `subject-path` produces the same SLSA provenance attestation.

[thepastaclaw]

Code Review

Trivial incremental: catches two additional workflow files (.github/workflows/clang-diff-format.yml and merge-check.yml) that were still on older action versions (checkout@v3, add-pr-comment@v2). Changes are consistent with the PR's goal of updating all GitHub Actions to latest versions.

Reviewed commit: 7163785

[thepastaclaw]

Code Review

Two issues, one critical:

🔴 Critical: predicate-type will break the attest step

In guix-build.yml, the predicate-type: https://slsa.dev/provenance/v1 input on actions/attest@v4 will cause the step to fail at runtime. Here's why:

1. actions/attest@v4 uses an auto-detection system for attestation type: if predicate-type is provided, it switches to "custom" mode
2. In custom mode, predicateFromInputs() requires either predicate or predicate-path — neither is set here
3. Result: Error: One of predicate-path or predicate must be provided

The predicate-type line should simply be removed. Without any predicate inputs, actions/attest@v4 defaults to "provenance" mode which auto-generates SLSA build provenance — exactly what attest-build-provenance@v1 was doing. No explicit predicate-type needed.

🟡 Still missing: release_docker_hub.yml

This file was flagged in the first review but hasn't been updated yet. It still uses:

• actions/checkout@v3 → should be v6
• docker/setup-buildx-action@v2 → should be v4
• docker/login-action@v2 → should be v4
• docker/build-push-action@v3 → should be v7
• actions/github-script@v6 → should be v7 (latest)
• docker/metadata-action@v4 → should be v6

Everything else in the PR looks good — the version bumps across all other workflow files are correct and consistent.

[thepastaclaw]

All previous feedback addressed — attest migration is correct (provenance mode by default), and the three missing workflow files are now updated. ACK 7de2547

One small nit: docker/setup-qemu-action@v3 in release_docker_hub.yml (line 16) could be bumped to v4 while you're here. Not a blocker.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/release_docker_hub.yml (1)

36-40: ⚠️ Potential issue | 🟡 Minor

Include Node.js runtime change when recommending the upgrade to v8.

The actions/github-script@v8 upgrade is available and recommended for version parity, but it includes a breaking change: the runtime upgrades from Node 20 to Node 24. Inline scripts will execute in Node 24, which requires a minimum GitHub Actions runner version of v2.327.1. Verify this is compatible with any Node-dependent logic in the workflow's inline script section before upgrading.

Suggested update

-    - name: Set suffix
-      uses: actions/github-script@v7
+    - name: Set suffix
+      uses: actions/github-script@v8

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release_docker_hub.yml around lines 36 - 40, The workflow
uses actions/github-script@v7 (the step with id: suffix and the inline script
under script) and the reviewer recommends upgrading to actions/github-script@v8;
note that v8 moves the Node runtime from 20→24 and requires runner >= v2.327.1,
so before changing the action reference update or verify compatibility of any
Node-dependent code inside the inline script, and either (A) adjust the inline
script to be Node 24 compatible (fix deprecated APIs, global changes, or
dependencies), or (B) explicitly ensure the workflow uses a runner version >=
v2.327.1 (or pin to a compatible runner), then change the action reference from
actions/github-script@v7 to actions/github-script@v8 in the step with id:
suffix.

.github/workflows/cache-depends-sources.yml (1)

23-34: ⚠️ Potential issue | 🟠 Major

Ensure self-hosted runners meet v2.329.0 before using these actions together.

This workflow accepts dynamic runner input from callers (inputs.runs-on), allowing it to run on self-hosted runners that may not meet the minimum version requirements: actions/checkout@v6 requires runner v2.329.0+ and actions/cache@v5 requires v2.327.1+. Callers using outdated self-hosted runners will encounter failures after these upgrades.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cache-depends-sources.yml around lines 23 - 34, The
workflow allows callers to pass dynamic runs-on values (inputs.runs-on) but uses
actions/checkout@v6 and actions/cache@v5 which require newer runner versions;
update the workflow to either restrict or validate the runner version before
using these actions by (1) forbidding self-hosted runners in inputs.runs-on or
restricting allowed values to hosted runners, or (2) adding an early step that
inspects runner.version and fails with a clear message if runner < 2.329.0, and
only proceeds to the steps that use actions/checkout@v6 and actions/cache@v5
when the check passes; reference the actions/checkout@v6, actions/cache@v5
entries and the inputs.runs-on usage to locate where to add the validation or
restriction.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/merge-check.yml:
- Around line 51-53: The workflow uses the mutable action reference
"mshick/add-pr-comment@v3" in a privileged pull_request_target run; replace the
mutable tag with a specific full commit SHA for the mshick/add-pr-comment action
(e.g., mshick/add-pr-comment@<full-commit-sha>) so the workflow is pinned to an
immutable commit, ensuring the action cannot be altered later—locate the "uses:
mshick/add-pr-comment@v3" line and update it to the verified full 40-character
commit SHA for that repository/release.

---

Outside diff comments:
In @.github/workflows/cache-depends-sources.yml:
- Around line 23-34: The workflow allows callers to pass dynamic runs-on values
(inputs.runs-on) but uses actions/checkout@v6 and actions/cache@v5 which require
newer runner versions; update the workflow to either restrict or validate the
runner version before using these actions by (1) forbidding self-hosted runners
in inputs.runs-on or restricting allowed values to hosted runners, or (2) adding
an early step that inspects runner.version and fails with a clear message if
runner < 2.329.0, and only proceeds to the steps that use actions/checkout@v6
and actions/cache@v5 when the check passes; reference the actions/checkout@v6,
actions/cache@v5 entries and the inputs.runs-on usage to locate where to add the
validation or restriction.

In @.github/workflows/release_docker_hub.yml:
- Around line 36-40: The workflow uses actions/github-script@v7 (the step with
id: suffix and the inline script under script) and the reviewer recommends
upgrading to actions/github-script@v8; note that v8 moves the Node runtime from
20→24 and requires runner >= v2.327.1, so before changing the action reference
update or verify compatibility of any Node-dependent code inside the inline
script, and either (A) adjust the inline script to be Node 24 compatible (fix
deprecated APIs, global changes, or dependencies), or (B) explicitly ensure the
workflow uses a runner version >= v2.327.1 (or pin to a compatible runner), then
change the action reference from actions/github-script@v7 to
actions/github-script@v8 in the step with id: suffix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 674891b5-0588-4c32-97b1-35cf196285a7

📥 Commits

Reviewing files that changed from the base of the PR and between 1d24e97 and 667f395.

📒 Files selected for processing (12)

• .github/workflows/build-container.yml
• .github/workflows/build-depends.yml
• .github/workflows/build-src.yml
• .github/workflows/build.yml
• .github/workflows/cache-depends-sources.yml
• .github/workflows/clang-diff-format.yml
• .github/workflows/guix-build.yml
• .github/workflows/lint.yml
• .github/workflows/merge-check.yml
• .github/workflows/predict-conflicts.yml
• .github/workflows/release_docker_hub.yml
• .github/workflows/test-src.yml

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/build-depends.yml
• .github/workflows/lint.yml
• .github/workflows/predict-conflicts.yml
• .github/workflows/build.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import pathlib, re

wf_dir = pathlib.Path(".github/workflows")
for wf in sorted(wf_dir.glob("*.yml")):
    text = wf.read_text()
    if "pull_request_target" not in text:
        continue
    print(f"\n## {wf}")
    for m in re.finditer(r'^\s*uses:\s*([^\s]+)\s*$', text, flags=re.M):
        uses = m.group(1)
        if uses.startswith("./") or uses.startswith("docker://"):
            continue
        line = text[:m.start()].count("\n") + 1
        pinned = bool(re.search(r'@[0-9a-fA-F]{40}$', uses))
        status = "SHA_PINNED" if pinned else "TAG_PINNED"
        print(f"{status}\tLine {line}\t{uses}")
PY

Repository: dashpay/dash

Length of output: 1200

---

🏁 Script executed:

cat -n .github/workflows/merge-check.yml | head -60

Repository: dashpay/dash

Length of output: 2010

---

Pin the third-party comment action to a full commit SHA in this privileged workflow.

The workflow uses pull_request_target (line 8) with pull-requests: write permissions (line 4) and runs mshick/add-pr-comment@v3 (line 52) with a mutable tag. This combination creates supply-chain risk—the tag could be updated by the maintainer at any time, potentially executing compromised code with elevated privileges.

Suggested hardening

      - name: comment
        uses: mshick/add-pr-comment@v3
+        uses: mshick/add-pr-comment@<full_commit_sha_for_v3>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/merge-check.yml around lines 51 - 53, The workflow uses
the mutable action reference "mshick/add-pr-comment@v3" in a privileged
pull_request_target run; replace the mutable tag with a specific full commit SHA
for the mshick/add-pr-comment action (e.g.,
mshick/add-pr-comment@<full-commit-sha>) so the workflow is pinned to an
immutable commit, ensuring the action cannot be altered later—locate the "uses:
mshick/add-pr-comment@v3" line and update it to the verified full 40-character
commit SHA for that repository/release.

[PastaPastaPasta]

utACK 667f395

[UdjinM6]

utACK 667f395

[thepastaclaw]

All previous feedback addressed. QEMU nit fixed (v3→v4), predicate-type correctly removed, and all three missed workflow files updated. CI failures (linux64-test, linux64_multiprocess-test) are pre-existing test flakes, unrelated to this PR.

ACK 667f395