Proposed Changes
Review the repo-managed GitHub Actions workflows on main and update the remaining actions that still rely on deprecated Node.js 20 runtimes. As part of the same cleanup, pin the remaining version-tag references to full commit SHAs.
Affected workflows:
lint-tests.yamlrelease.yaml
This primarily includes:
actions/checkout@v4actions/setup-python@v5actions/upload-artifact@v4actions/download-artifact@v4
lint-tests.yaml already runs Ruff directly, so there is no separate Ruff action to update here. release.yaml already pins pypa/gh-action-pypi-publish to a commit SHA, so that step likely just needs validation as part of this work.
This change should be limited to the GitHub Actions used by the workflows themselves; it does not change the Python version used for testing or the release process.
Justification
GitHub has deprecated Node 20 on Actions runners and will begin using Node 24 by default. Updating the remaining workflow dependencies now should help avoid warnings and future breakage while keeping netbox-custom-objects aligned with the rest of the NetBox ecosystem.
Pinning the remaining GitHub Actions to full commit SHAs also improves workflow security by reducing supply chain risk from tag retargeting and makes the referenced action versions easier to audit.
Proposed Changes
Review the repo-managed GitHub Actions workflows on
mainand update the remaining actions that still rely on deprecated Node.js 20 runtimes. As part of the same cleanup, pin the remaining version-tag references to full commit SHAs.Affected workflows:
lint-tests.yamlrelease.yamlThis primarily includes:
actions/checkout@v4actions/setup-python@v5actions/upload-artifact@v4actions/download-artifact@v4lint-tests.yamlalready runs Ruff directly, so there is no separate Ruff action to update here.release.yamlalready pinspypa/gh-action-pypi-publishto a commit SHA, so that step likely just needs validation as part of this work.This change should be limited to the GitHub Actions used by the workflows themselves; it does not change the Python version used for testing or the release process.
Justification
GitHub has deprecated Node 20 on Actions runners and will begin using Node 24 by default. Updating the remaining workflow dependencies now should help avoid warnings and future breakage while keeping
netbox-custom-objectsaligned with the rest of the NetBox ecosystem.Pinning the remaining GitHub Actions to full commit SHAs also improves workflow security by reducing supply chain risk from tag retargeting and makes the referenced action versions easier to audit.