Skip to content

NO-JIRA: chore(deps): update external GitHub Actions to latest versions#2827

Merged
jiridanek merged 10 commits intoopendatahub-io:mainfrom
jiridanek:jd/2026/01/updategha
Jan 14, 2026
Merged

NO-JIRA: chore(deps): update external GitHub Actions to latest versions#2827
jiridanek merged 10 commits intoopendatahub-io:mainfrom
jiridanek:jd/2026/01/updategha

Conversation

@jiridanek
Copy link
Member

@jiridanek jiridanek commented Jan 14, 2026
edited
Loading

Summary

Updates external GitHub Actions to their latest versions for improved security, performance, and Node.js 24 compatibility.

Changes

Action Old Version New Version Key Changes Release Notes
actions/checkout v5 v6 Node.js 24 support, credentials now stored in $RUNNER_TEMP v6.0.0
actions/setup-go v5 v6 Node.js 24 support v6.0.0
actions/setup-python v5 v6 Node.js 24 support v6.0.0
actions/cache v4 v5 Node.js 24 support v5.0.0
actions/add-to-project v0.5.0 v1 Stable release with improved API v1.0.2
actions/github-script v7 v8 Node.js 24 support v8.0.0
peter-evans/create-pull-request v6.1.0 v8.0.0 Better conflict handling, new features v7.0.0, v8.0.0
snok/container-retention-policy v3.0.0 v3.0.1 Bug fixes v3.0.1

Security Improvements

  • actions/checkout@v6: Credentials are now persisted to a separate file under $RUNNER_TEMP instead of .git/config, reducing risk of accidental credential exposure in artifacts. See PR #2286 for details.

Breaking Changes

  • Node.js 24: All updated actions/* now require Actions Runner v2.327.1+ (GitHub-hosted runners are already updated)
  • Docker container actions: For authenticated git commands in Docker containers, Actions Runner v2.329.0+ is required

Notes

  • docker/login-action@v3 and repo-sync/pull-request@v2 use floating major version tags and are already receiving updates automatically
  • SHA-pinned actions (peter-evans/create-pull-request, snok/container-retention-policy) have been updated to new SHAs

Testing

  • CI workflows pass
  • Build workflows complete successfully

@jiridanek
chore(deps): update actions/checkout v5 → v6
46cfb8d 
Changes in v6:
- Node.js 24 support (requires runner v2.327.1+)
- Persist credentials to separate file under $RUNNER_TEMP
- Improved worktree support for persist-credentials includeIf

Breaking: Requires Actions Runner v2.329.0 for Docker container actions
@jiridanek
chore(deps): update actions/setup-go v5 → v6
9484fb5 
Changes in v6:
- Node.js 24 support (requires runner v2.327.1+)
- Improved toolchain handling for reliable selection
- Support for .tool-versions file (v6.1.0)
- Fallback to go.dev/dl instead of storage.googleapis.com

Breaking: Improved toolchain handling may affect existing setups
@jiridanek
chore(deps): update actions/setup-python v5 → v6
6b23a4c 
Changes in v6:
- Node.js 24 support (requires runner v2.327.1+)
- New pip-version input to specify pip version
- Enhanced reading from .python-version file
- Version parsing from Pipfile
- v6.1.0: pip-install input and GraalPy early-access support

New feature: Consider using pip-version input for reproducible builds
@jiridanek
chore(deps): update actions/cache v4 → v5
490ae05 
Changes in v5:
- Node.js 24 support (requires runner v2.327.1+)
- v5.0.1 fixes Node.js 24 punycode deprecation warning

No new features, primarily runtime upgrade
@jiridanek
chore(deps): update actions/add-to-project v0.5.0 → v1
910237a 
Changes from v0.5.0 to v1:
- Promoted to stable API (v1.0.0)
- Added reopened event support (v0.6.0)
- Documented outputs in action manifest
- Security fix for undici

Now uses stable v1 major version tag
@jiridanek
chore(deps): update actions/github-script v7 → v8
163e2ce 
Changes in v8:
- Node.js 24 support (requires runner v2.327.1+)

No new features, primarily runtime upgrade
@jiridanek
chore(deps): docker/login-action v3 already using floating tag
6dddbb3 
docker/login-action is currently using @V3 which is a floating major
version tag. Latest release is v3.6.0.

New features available:
- registry-auth input for raw authentication (v3.6.0)
- Dual-stack endpoints for AWS ECR (v3.5.0)

No changes needed - floating tag auto-updates to latest v3.x
@jiridanek
chore(deps): update peter-evans/create-pull-request v6.1.0 → v8.0.0
e227c21 
Changes in v8:
- Node.js 24 support (requires runner v2.327.1+)
- v7.0.9 fixed compatibility with actions/checkout@v6

Updated SHA from c5a7806660adbe173f04e3e038b0ccdcd758773c (v6.1.0)
to 98357b18bf14b5342f975ff684046ec3b2a07725 (v8.0.0)
@jiridanek
chore(deps): update snok/container-retention-policy v3.0.0 → v3.0.1
ed7e69d 
Changes in v3.0.1:
- Use provided GITHUB_* URL variables
- Fix output coloring
- Update dependencies

Updated SHA from 4f22ef80902ad409ed55a99dc5133cc1250a0d03 (v3.0.0)
to 3b0972b2276b171b212f8c4efbca59ebba26eceb (v3.0.1)
@jiridanek
chore(deps): repo-sync/pull-request v2 already using floating tag
920d1db 
repo-sync/pull-request is currently using @v2 which is a floating major
version tag. Latest release is v2.12.1.

Changes since v2:
- Third-party repository support (v2.10)
- Logging and pr_created flag (v2.11)
- Fix special characters in repo URL (v2.12.1)

No changes needed - floating tag auto-updates to latest v2.x
@openshift-ci openshift-ci bot requested review from atheo89 and dibryant January 14, 2026 06:06
@github-actions github-actions bot added the review-requested GitHub Bot creates notification on #pr-review-ai-ide-team slack channel label Jan 14, 2026
@openshift-ci openshift-ci bot added the size/l label Jan 14, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 14, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This PR systematically upgrades GitHub Actions workflow dependencies across the repository. Changes include bumping actions/checkout from v5 to v6, actions/setup-go and actions/setup-python from v5 to v6, actions/github-script from v7 to v8, actions/cache from v4 to v5, actions/add-to-project from v0.5.0 to v1, peter-evans/create-pull-request from v6.1.0 to v8.0.0, and updating container-retention-policy to v3.0.1. No logic or control flow modifications are present.

Changes

Cohort / File(s) Summary
Primary checkout v5→v6 upgrades
.github/workflows/create-release.yaml, .github/workflows/docs.yaml, .github/workflows/params-env.yaml, .github/workflows/security.yaml, .github/workflows/software-versions.yaml, .github/workflows/test-install-podman.yaml, .github/workflows/test-provision-k8s.yaml, .github/workflows/update-buildconfigs.yaml, .github/workflows/update-commit-latest-env.yaml, .github/workflows/update-tags.yaml		 Single version bump: actions/checkout@v5@v6 across 10 workflow files
Checkout + setup-go upgrades
.github/workflows/build-notebooks-TEMPLATE.yaml, .github/workflows/build-notebooks-pr-aipcc.yaml, .github/workflows/build-notebooks-pr-rhel.yaml, .github/workflows/build-notebooks-pr.yaml, .github/workflows/build-notebooks-push.yaml		 Dual version bumps: actions/checkout@v5@v6 and actions/setup-go@v5@v6
Checkout + github-script upgrades
.github/workflows/pr-merge-image-delete.yml		 Dual version bumps: actions/checkout@v5@v6 and actions/github-script@v7@v8
Checkout + setup-python upgrades
.github/workflows/piplock-renewal.yaml		 Dual version bumps: actions/checkout@v5@v6 and actions/setup-python@v5@v6
Checkout (multiple) + setup-python upgrades
.github/workflows/sec-scan.yml		 Version bumps: multiple actions/checkout@v5@v6 and actions/setup-python@v5@v6 instances
Checkout + create-pull-request upgrades
.github/workflows/sync-branches-through-pr.yml		 Dual version bumps: actions/checkout@v5@v6 and peter-evans/create-pull-request@v6.1.0@v8.0.0
Code quality checkout upgrades
.github/workflows/code-quality.yaml		 Multiple actions/checkout@v5@v6 bumps across three jobs (check-generated-code, pytest-tests, code-static-analysis)
Digest updater & release checkout upgrades
.github/workflows/notebooks-digest-updater.yaml, .github/workflows/notebooks-release.yaml		 Dual actions/checkout@v5@v6 bumps per file
Test & cleanup checkout upgrades
.github/workflows/test-trivy-scan-action.yaml		 Dual actions/checkout@v5@v6 bumps across two workflow steps
Single-action version upgrades
.github/actions/install-podman-action/action.yml		 actions/cache@v4@v5
GitHub script upgrade
.github/workflows/notify-team-to-review-pr.yml		 actions/github-script@v7@v8
Project management action upgrade
.github/workflows/auto-add-issue-to-project.yml		 actions/add-to-project@v0.5.0@v1 for two project entries
Container retention policy upgrade
.github/workflows/purge-ghcr.yaml		 Commit hash update for container-retention-policy (v3.0.0 → v3.0.1)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The pull request title clearly and concisely summarizes the main change: updating GitHub Actions dependencies to their latest versions across multiple workflows.
Description check ✅ Passed The PR description is comprehensive, well-structured, and provides clear justification for the changes.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@jiridanek jiridanek changed the title chore(deps): update external GitHub Actions to latest versions NO-JIRA: chore(deps): update external GitHub Actions to latest versions Jan 14, 2026
@openshift-ci openshift-ci bot added size/l and removed size/l labels Jan 14, 2026
coderabbitai[bot]
coderabbitai bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/actions/install-podman-action/action.yml (1)

16-22: LGTM, but note runner version requirement and cache service migration.

The upgrade from actions/cache@v4 to @v5 maintains the same cache syntax and configuration. However:

  • Minimum runner requirement: v5 requires GitHub Actions runner >= 2.327.1. Self-hosted runners must be updated.
  • Cache service migration: v5 uses the new cache service (v2) APIs. This is a backend change, though backward compatible with the new service. The legacy service sunset is scheduled for February 1, 2025.
  • Node.js 24: v5 runs on Node.js 24 (v4 uses Node.js 20). Verify any custom actions or dependencies are compatible.

The cache configuration itself (path, key) remains unchanged and will continue to work.

🤖 Fix all issues with AI agents 
In @.github/workflows/test-provision-k8s.yaml:
- Line 19: Update the runner version requirement text that accompanies the
actions/checkout@v6 upgrade to specify Actions Runner v2.329.0 or later (not
v2.327.1+); keep the actions/checkout@v6 usage as-is and note that standard
checkout on ubuntu-24.04 already meets this requirement and no workflow changes
are needed for the credential storage behavior.
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fd0eea1 and 920d1db.

📒 Files selected for processing (27)
  • .github/actions/install-podman-action/action.yml
  • .github/workflows/auto-add-issue-to-project.yml
  • .github/workflows/build-notebooks-TEMPLATE.yaml
  • .github/workflows/build-notebooks-pr-aipcc.yaml
  • .github/workflows/build-notebooks-pr-rhel.yaml
  • .github/workflows/build-notebooks-pr.yaml
  • .github/workflows/build-notebooks-push.yaml
  • .github/workflows/code-quality.yaml
  • .github/workflows/create-release.yaml
  • .github/workflows/docs.yaml
  • .github/workflows/notebooks-digest-updater.yaml
  • .github/workflows/notebooks-release.yaml
  • .github/workflows/notify-team-to-review-pr.yml
  • .github/workflows/params-env.yaml
  • .github/workflows/piplock-renewal.yaml
  • .github/workflows/pr-merge-image-delete.yml
  • .github/workflows/purge-ghcr.yaml
  • .github/workflows/sec-scan.yml
  • .github/workflows/security.yaml
  • .github/workflows/software-versions.yaml
  • .github/workflows/sync-branches-through-pr.yml
  • .github/workflows/test-install-podman.yaml
  • .github/workflows/test-provision-k8s.yaml
  • .github/workflows/test-trivy-scan-action.yaml
  • .github/workflows/update-buildconfigs.yaml
  • .github/workflows/update-commit-latest-env.yaml
  • .github/workflows/update-tags.yaml
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-12-19T15:54:11.014Z 
Learnt from: jiridanek
Repo: opendatahub-io/notebooks PR: 2790
File: .github/workflows/build-notebooks-TEMPLATE.yaml:209-213
Timestamp: 2025-12-19T15:54:11.014Z
Learning: Podman buildenv behavior: --unsetenv removes variables from the final image, not during build. If you need a variable during the build (e.g., for compilation), pass it with --env=VAR=value; after build, use --unsetenv=VAR to remove it from the final image. Apply this pattern in workflow steps that build notebooks to ensure sensitive or build-time vars are not left in the final image.

Applied to files:

  • .github/workflows/test-provision-k8s.yaml
  • .github/workflows/docs.yaml
  • .github/workflows/test-trivy-scan-action.yaml
  • .github/workflows/software-versions.yaml
  • .github/workflows/notebooks-release.yaml
  • .github/workflows/security.yaml
  • .github/workflows/create-release.yaml
  • .github/workflows/test-install-podman.yaml
  • .github/workflows/build-notebooks-pr-rhel.yaml
  • .github/workflows/build-notebooks-pr.yaml
  • .github/workflows/update-tags.yaml
  • .github/workflows/update-buildconfigs.yaml
  • .github/workflows/update-commit-latest-env.yaml
  • .github/workflows/build-notebooks-pr-aipcc.yaml
  • .github/workflows/build-notebooks-TEMPLATE.yaml
  • .github/workflows/build-notebooks-push.yaml
  • .github/workflows/params-env.yaml
  • .github/workflows/piplock-renewal.yaml
  • .github/workflows/notebooks-digest-updater.yaml
  • .github/workflows/purge-ghcr.yaml
  • .github/workflows/code-quality.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test Template with Minimal Notebook / build
🔇 Additional comments (36)
.github/workflows/update-commit-latest-env.yaml (1)

24-27: LGTM — checkout v6 upgrade is appropriate.

The upgrade aligns with the PR's goal of Node.js 24 compatibility. The token parameter continues to work in v6, and the credential helper will still support the git push operation at line 43. The ubuntu-latest runner should meet the v2.327.1+ requirement.

.github/workflows/auto-add-issue-to-project.yml (1)

18-25: LGTM! Upgrade to stable v1 API is safe.

The version bump from v0.5.0 to v1 aligns with the PR objectives to move to the stable v1 API with security fixes. The inputs (project-url, github-token) are confirmed as supported in v1 with no breaking changes, and the GitHub App token approach is the recommended authentication method.

.github/workflows/test-trivy-scan-action.yaml (2)

24-25: LGTM!

Consistent upgrade to actions/checkout@v6 in the image scan job.

75-76: LGTM!

Consistent upgrade to actions/checkout@v6 in the filesystem scan job.

.github/workflows/create-release.yaml (1)

47-49: LGTM!

The upgrade to actions/checkout@v6 preserves the fetch-depth: 0 setting required for release tag generation with full git history.

.github/workflows/software-versions.yaml (1)

28-28: LGTM!

Consistent upgrade to actions/checkout@v6.

.github/workflows/notebooks-release.yaml (2)

75-77: LGTM!

The upgrade to actions/checkout@v6 looks correct. The workflow uses GITHUB_TOKEN from environment variables for git operations rather than relying on checkout-persisted credentials, so the credential path change in v6 shouldn't affect this workflow.

Ensure the GitHub-hosted runners support Actions Runner v2.327.1+ which is required for checkout@v6. As of late 2025, GitHub-hosted runners should meet this requirement, but verify CI passes.

108-110: LGTM!

Same as above—this checkout step correctly uses fetch-depth: 0 and the workflow's git operations rely on GITHUB_TOKEN environment variable.

.github/workflows/notify-team-to-review-pr.yml (1)

22-33: LGTM!

The upgrade to actions/github-script@v8 is appropriate for Node.js 24 compatibility. The script uses standard Octokit REST API calls which remain compatible across versions.

.github/workflows/security.yaml (1)

28-29: LGTM!

The upgrade to actions/checkout@v6 is appropriate. This workflow performs read-only security scanning without any git operations that would depend on persisted credentials.

.github/workflows/code-quality.yaml (3)

15-15: LGTM!

The upgrade to actions/checkout@v6 is appropriate. This job only performs read-only git operations (git status, git diff) to verify generated code is committed.

44-44: LGTM!

Checkout upgrade is correct for this test job which doesn't perform any git operations after checkout.

74-74: LGTM!

Checkout upgrade is correct for this static analysis job which only reads files without git operations.

.github/workflows/update-buildconfigs.yaml (1)

37-40: LGTM. The upgrade to actions/checkout@v6 is compatible with this workflow. The ci/buildconfig-updater.sh script is a simple file editor that doesn't reference any credential paths, and the workflow uses GITHUB_TOKEN via environment variable for all git operations.

.github/workflows/docs.yaml (1)

19-19: LGTM!

The actions/checkout upgrade to v6 is appropriate for Node.js 24 compatibility. This workflow performs a simple checkout followed by script execution, so the v6 credential handling changes don't impact it.

.github/workflows/update-tags.yaml (1)

17-20: LGTM!

The upgrade to actions/checkout@v6 is correct. This workflow performs git push operations (line 68), and v6 continues to persist credentials by default (now stored in $RUNNER_TEMP instead of .git/config), so authenticated git commands will continue to work.

.github/workflows/build-notebooks-push.yaml (1)

32-36: LGTM!

Both action upgrades are appropriate:

  • actions/checkout@v6: Node.js 24 compatibility
  • actions/setup-go@v6: Node.js 24 support with improved toolchain handling; the cache-dependency-path option remains compatible
.github/workflows/build-notebooks-pr.yaml (1)

31-35: LGTM!

The upgrades to actions/checkout@v6 and actions/setup-go@v6 are correct. The subsequent git fetch operations (lines 40-41) will continue to work as they fetch public refs from the same repository.

.github/workflows/build-notebooks-pr-aipcc.yaml (1)

53-62: LGTM!

All action upgrades are correct and consistent:

  • Both conditional actions/checkout@v6 steps (lines 53 and 57) are updated consistently
  • actions/setup-go@v6 upgrade maintains the same cache configuration

The security gating (lines 40-49) that runs before checkout remains intact, which is critical for this pull_request_target workflow.

.github/workflows/notebooks-digest-updater.yaml (1)

53-67: LGTM!

The actions/checkout updates from v5 to v6 are consistent with the PR objectives. The existing configuration options (ref, fetch-depth) remain compatible with v6.

.github/workflows/sec-scan.yml (3)

31-34: LGTM!

The actions/checkout@v6 update is consistent with the PR-wide version bump.

54-58: LGTM!

Checkout steps for upstream repository references are correctly updated to v6.

96-99: LGTM!

The actions/setup-python@v6 update maintains compatibility with the existing python-version-file configuration.

.github/workflows/build-notebooks-pr-rhel.yaml (1)

51-60: LGTM!

The actions/checkout@v6 and actions/setup-go@v6 updates are consistent with the PR objectives. The security check correctly precedes checkout for this pull_request_target workflow, which is essential for safe handling of untrusted PR code.

.github/workflows/sync-branches-through-pr.yml (2)

22-25: LGTM!

The actions/checkout@v6 update is consistent with the PR objectives.

38-47: SHA pin is correct for v8.0.0. The commit 98357b18bf14b5342f975ff684046ec3b2a07725 correctly corresponds to peter-evans/create-pull-request@v8.0.0. The options used (branch, title, body) remain fully compatible with v8.0.0; no breaking changes affect these parameters.

.github/workflows/build-notebooks-TEMPLATE.yaml (3)

75-85: LGTM!

The actions/checkout@v6 updates are consistent with the PR objectives. The conditional checkout logic and LFS support configuration remain compatible with v6.

134-136: LGTM!

The actions/setup-go@v6 update for scripts/buildinputs is consistent with the PR objectives.

404-408: LGTM!

The second actions/setup-go@v6 instance for scripts/check-payload correctly uses a separate cache-dependency-path and maintains the custom GOPATH configuration.

.github/workflows/test-install-podman.yaml (1)

25-25: LGTM!

The upgrade to actions/checkout@v6 is appropriate. This workflow uses ubuntu-24.04 which should have the required Actions Runner v2.327.1+ for Node.js 24 support. The workflow doesn't use git credentials post-checkout, so the credential location change in v6 won't impact functionality.

.github/workflows/pr-merge-image-delete.yml (2)

17-19: LGTM!

The upgrade to actions/checkout@v6 is appropriate. The fetch-depth: '0' option for full history remains fully supported.

26-43: LGTM!

The upgrade to actions/github-script@v8 is appropriate. The script logic using context.issue.number and github.rest.repos.listPullRequestsAssociatedWithCommit is standard GitHub API usage that remains compatible with v8.

.github/workflows/piplock-renewal.yaml (2)

75-77: LGTM!

The upgrade to actions/setup-python@v6 is appropriate. The python-version input usage remains unchanged and compatible.

64-67: No changes required for credential handling.

This workflow correctly passes the custom token to actions/checkout@v6, which is the recommended approach for authenticated push operations in v6. The token is securely persisted to $RUNNER_TEMP by default and will be available for subsequent git push commands. The change in credential storage location is a security improvement and does not affect the workflow's functionality.

.github/workflows/params-env.yaml (1)

21-21: LGTM!

The upgrade to actions/checkout@v6 is appropriate. This workflow uses default checkout options and doesn't perform git operations post-checkout, so the credential location change has no impact.

.github/workflows/purge-ghcr.yaml (1)

23-23: LGTM! SHA-pinned patch update is correct.

Good security practice keeping the SHA-pinned reference with an inline version comment. This patch bump (v3.0.0 → v3.0.1) is low-risk and the SHA 3b0972b2276b171b212f8c4efbca59ebba26eceb correctly corresponds to the v3.0.1 release tag.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

.github/workflows/test-provision-k8s.yaml
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Check the git diff for the workflow file to confirm v5→v6 upgrade
git diff HEAD -- .github/workflows/test-provision-k8s.yaml

Repository: opendatahub-io/notebooks

Length of output: 50

🌐 Web query:

actions/checkout v6 requirements changes breaking

💡 Result:

Short summary — what changed in actions/checkout v6 that can break workflows:

  • Credential storage: persist-credentials still exists but v6 no longer writes the token directly into .git/config; it stores credentials in $RUNNER_TEMP and references them from .git/config. Workflows or build/publish steps that assumed credentials were inside the repo (or that packaged .git/config) may break or behave differently. [1][3]

  • Runner minimum for container-authenticated git: if you run authenticated git commands from inside a Docker container action, runners must be v2.329.0 or later. Jobs on older self-hosted runners (or older GitHub-hosted runners) will fail for that scenario. [1][2]

  • Related/node-runtime notes: earlier major updates (v5) moved node runtime versions and had their own runner minimums (v2.327.1 for Node24/Node20 transitions); check your other actions for similar runtime/runner requirements. [2]

If you want, tell me whether you use GitHub-hosted or self-hosted runners and I’ll list concrete fixes (pinning action version, upgrading runner, or changing persist-credentials usage).

Sources: [1] actions/checkout v6 release/marketplace notes; [2] actions/checkout README; [3] GitHub Community discussion about the v6 credential change.

🌐 Web query:

actions/checkout v6 changelog release notes

💡 Result:

Summary of actions/checkout v6 release notes — key changes:

  • persist-credentials now writes credentials to a separate file under $RUNNER_TEMP (improved credential security). [1][3]
  • No workflow changes required; git fetch/push continue to work automatically. [1]
  • Running authenticated git commands from a Docker container action requires Actions Runner v2.329.0 or later. [1][2]
  • v6 updates README to document Node.js 24 runtime support and related runner requirements. [3][2]

Sources:

  • actions/checkout README / "What's new" (v6). [1]
  • GitHub Marketplace Checkout v6 notes. [2]
  • actions/checkout changelog / release commits (v6, v6.0.1). [3]

🏁 Script executed:

# Read the actual workflow file to confirm current state
cat -n .github/workflows/test-provision-k8s.yaml | head -30

Repository: opendatahub-io/notebooks

Length of output: 659

Update runner version requirement for actions/checkout v6.

The upgrade to actions/checkout@v6 is appropriate. However, the runner version requirement is inaccurate: v6 requires Actions Runner v2.329.0 or later for authenticated git commands executed from Docker container actions, not v2.327.1+. For standard checkout operations, ubuntu-24.04 runners meet the requirement. The credential storage improvement (now using $RUNNER_TEMP instead of .git/config) requires no workflow changes.

🤖 Prompt for AI Agents 
In @.github/workflows/test-provision-k8s.yaml at line 19, Update the runner
version requirement text that accompanies the actions/checkout@v6 upgrade to
specify Actions Runner v2.329.0 or later (not v2.327.1+); keep the
actions/checkout@v6 usage as-is and note that standard checkout on ubuntu-24.04
already meets this requirement and no workflow changes are needed for the
credential storage behavior.

@openshift-ci openshift-ci bot added size/l and removed size/l labels Jan 14, 2026
@jiridanek jiridanek added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jan 14, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 14, 2026

@jiridanek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images 920d1db link true /test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

atheo89
atheo89 approved these changes Jan 14, 2026
View reviewed changes
Copy link
Member

@atheo89 atheo89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 14, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 14, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: atheo89

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 14, 2026

/retest-required

Remaining retests: 0 against base HEAD fd0eea1 and 2 for PR HEAD 920d1db in total

@jiridanek jiridanek merged commit 53f5ce7 into opendatahub-io:main Jan 14, 2026
18 of 20 checks passed
@jiridanek jiridanek deleted the jd/2026/01/updategha branch January 14, 2026 09:39
jiridanek added a commit to jiridanek/notebooks that referenced this pull request Feb 11, 2026
@jiridanek
NO-JIRA: chore(deps): update external GitHub Actions to latest versio…
797e224 
…ns (opendatahub-io#2827)

* chore(deps): update actions/checkout v5 → v6

Changes in v6:
- Node.js 24 support (requires runner v2.327.1+)
- Persist credentials to separate file under $RUNNER_TEMP
- Improved worktree support for persist-credentials includeIf

Breaking: Requires Actions Runner v2.329.0 for Docker container actions

* chore(deps): update actions/setup-go v5 → v6

Changes in v6:
- Node.js 24 support (requires runner v2.327.1+)
- Improved toolchain handling for reliable selection
- Support for .tool-versions file (v6.1.0)
- Fallback to go.dev/dl instead of storage.googleapis.com

Breaking: Improved toolchain handling may affect existing setups

* chore(deps): update actions/setup-python v5 → v6

Changes in v6:
- Node.js 24 support (requires runner v2.327.1+)
- New pip-version input to specify pip version
- Enhanced reading from .python-version file
- Version parsing from Pipfile
- v6.1.0: pip-install input and GraalPy early-access support

New feature: Consider using pip-version input for reproducible builds

* chore(deps): update actions/cache v4 → v5

Changes in v5:
- Node.js 24 support (requires runner v2.327.1+)
- v5.0.1 fixes Node.js 24 punycode deprecation warning

No new features, primarily runtime upgrade

* chore(deps): update actions/add-to-project v0.5.0 → v1

Changes from v0.5.0 to v1:
- Promoted to stable API (v1.0.0)
- Added reopened event support (v0.6.0)
- Documented outputs in action manifest
- Security fix for undici

Now uses stable v1 major version tag

* chore(deps): update actions/github-script v7 → v8

Changes in v8:
- Node.js 24 support (requires runner v2.327.1+)

No new features, primarily runtime upgrade

* chore(deps): docker/login-action v3 already using floating tag

docker/login-action is currently using @V3 which is a floating major
version tag. Latest release is v3.6.0.

New features available:
- registry-auth input for raw authentication (v3.6.0)
- Dual-stack endpoints for AWS ECR (v3.5.0)

No changes needed - floating tag auto-updates to latest v3.x

* chore(deps): update peter-evans/create-pull-request v6.1.0 → v8.0.0

Changes in v8:
- Node.js 24 support (requires runner v2.327.1+)
- v7.0.9 fixed compatibility with actions/checkout@v6

Updated SHA from c5a7806660adbe173f04e3e038b0ccdcd758773c (v6.1.0)
to 98357b18bf14b5342f975ff684046ec3b2a07725 (v8.0.0)

* chore(deps): update snok/container-retention-policy v3.0.0 → v3.0.1

Changes in v3.0.1:
- Use provided GITHUB_* URL variables
- Fix output coloring
- Update dependencies

Updated SHA from 4f22ef80902ad409ed55a99dc5133cc1250a0d03 (v3.0.0)
to 3b0972b2276b171b212f8c4efbca59ebba26eceb (v3.0.1)

* chore(deps): repo-sync/pull-request v2 already using floating tag

repo-sync/pull-request is currently using @v2 which is a floating major
version tag. Latest release is v2.12.1.

Changes since v2:
- Third-party repository support (v2.10)
- Logging and pr_created flag (v2.11)
- Fix special characters in repo URL (v2.12.1)

No changes needed - floating tag auto-updates to latest v2.x

(cherry picked from commit 53f5ce7)
@jiridanek jiridanek mentioned this pull request Feb 11, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@atheo89 atheo89 atheo89 approved these changes

@dibryant dibryant Awaiting requested review from dibryant

Assignees

@atheo89 atheo89

Labels

approved lgtm review-requested GitHub Bot creates notification on #pr-review-ai-ide-team slack channel size/l tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jiridanek @openshift-ci-robot @atheo89