Update GitHub Actions to use latest versions by amikofalvy · Pull Request #2963 · inkeep/agents

amikofalvy · 2026-04-01T22:31:01Z

Summary

This PR updates GitHub Actions dependencies to their latest versions across all CI/CD workflows and composite actions.

Key Changes

actions/setup-node: Updated from v4 (49933ea5288caeca8642d1e84afbd3f7d6820020) to v6 (53b83947a5a98c8d113130e565377fae1a50d02f)
pnpm/action-setup: Updated from v4 (c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c) to v5 (fc06bc1257f339d1d5d8b3a19a8cae5388b55320)

Files Modified

.github/workflows/ci.yml
.github/workflows/auto-format.yml
.github/workflows/ci-maintenance.yml
.github/workflows/coverage.yml.disabled
.github/workflows/cypress.yml
.github/workflows/publish-skills.yml
.github/workflows/model-sync.yml
.github/workflows/release.yml
.github/composite-actions/install/action.yml

Details

These updates ensure the CI/CD pipeline uses the latest stable versions of Node.js setup and pnpm installation actions, which may include bug fixes, security patches, and performance improvements.

https://claude.ai/code/session_01D5Ah1eAYvZCS2SfZ5Lopi3

Upgrade actions/setup-node from v4 to v6.3.0 and pnpm/action-setup from v4 to v5.0.0 across all workflows to resolve the Node.js 20 deprecation warning. Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026. https://claude.ai/code/session_01D5Ah1eAYvZCS2SfZ5Lopi3

changeset-bot · 2026-04-01T22:31:07Z

⚠️ No Changeset found

Latest commit: 25a1a57

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vercel · 2026-04-01T22:31:08Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Apr 1, 2026 10:31pm
agents-docs	Ready	Preview, Comment	Apr 1, 2026 10:31pm
agents-manage-ui	Ready	Preview, Comment	Apr 1, 2026 10:31pm

pullfrog · 2026-04-01T22:33:28Z

TL;DR — Bumps actions/setup-node from v4 to v6 and pnpm/action-setup from v4 to v5 across all CI/CD workflows and composite actions, picking up bug fixes, security patches, and Node.js 24 support.

Key changes

actions/setup-node v4 → v6 — Updates the pinned commit SHA from 49933ea to 53b83947 in all 9 workflow files, bringing in two major versions of improvements including Node.js 24 compatibility
pnpm/action-setup v4 → v5 — Updates the pinned commit SHA from c5ba7f7 to fc06bc1 across all workflows that install pnpm

_{Summary ｜ 9 files ｜ 1 commit ｜ base: main ← claude/update-actions-nodejs-0JCBF}

Before: All workflows pinned to actions/setup-node@49933ea (v4) and pnpm/action-setup@c5ba7f7 (v4)
After: All workflows pinned to actions/setup-node@53b83947 (v6) and pnpm/action-setup@fc06bc1 (v5)

Both actions continue to use the same node-version: 22 and pnpm version: 10.33.0 configuration — only the action versions themselves changed. The composite action at .github/composite-actions/install/action.yml is updated as well, so workflows that delegate to it (e.g. release.yml) inherit the new versions automatically.

.github/composite-actions/install/action.yml · .github/workflows/ci.yml · .github/workflows/release.yml · .github/workflows/cypress.yml

^{｜ View workflow run ｜ Triggered by Pullfrog ｜ Using Claude Opus ｜ 𝕏}

pullfrog

Clean, correct dependency bump. Both SHA pins verified against their respective release tags:

actions/setup-node@53b8394… → v6.3.0 (latest v6)
pnpm/action-setup@fc06bc1… → v5.0.0 (latest v5)

No old SHAs remain in .github/. No breaking changes affect this repo — pnpm/action-setup v5 is a runtime-only bump (node24), and actions/setup-node v6's auto-caching restriction to npm-only doesn't matter here since all workflows already use explicit cache: "pnpm" or manual actions/cache.

^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

claude

PR Review Summary

(0) Total Issues | Risk: Low

This PR correctly updates GitHub Actions dependencies across 9 workflow files:

actions/setup-node: v4 → v6 (SHA verified ✅)
pnpm/action-setup: v4 → v5 (SHA verified ✅)

✅ Verification Completed

Check	Status
SHA pins match claimed versions	✅ Verified
Consistency across all files	✅ All 9 files use identical SHAs
Breaking changes	✅ None - v6 adds Node.js 24 support
Supply chain security	✅ Proper SHA pinning with version comments

🧹 While You're Here (1) 🧹

🧹 1) .github/workflows/model-sync.yml:29 Incorrect version comment on checkout action

Issue: The checkout action has SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6) but the comment says # v4. All other 28 usages of this SHA across the codebase correctly say # v6.

Why: Misleading version comments can cause confusion during future action updates and create inconsistency.

Fix: Update line 29 to: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

Refs: model-sync.yml:29

✅ APPROVE

Summary: Clean DevOps PR with proper SHA pinning and consistent updates across all workflow files. The version upgrades (setup-node v4→v6, pnpm/action-setup v4→v5) are correctly implemented. One minor pre-existing typo noted in model-sync.yml that can be fixed opportunistically.

Reviewers (1)

Reviewer	Returned	Main Findings	Consider	While You're Here	Inline Comments	Pending Recs	Discarded
`pr-review-devops`	1	0	0	1	0	0	0
Total	1	0	0	1	0	0	0

github-actions · 2026-04-01T22:39:34Z

Preview URLs

Use these stable preview aliases for testing this PR:

UI: https://pr-2963-ui.preview.inkeep.com
API: https://pr-2963-api.preview.inkeep.com
API health: https://pr-2963-api.preview.inkeep.com/health

These point to the same Vercel preview deployment as the bot comment, but they stay stable and easier to find.

Raw Vercel deployment URLs

UI deployment: https://agents-manage-pzkpz1m7y.preview.inkeep.com
API deployment: https://agents-5vuqe77dd.preview.inkeep.com

itoqa · 2026-04-01T23:32:01Z

Ito Test Report ✅

10 test cases ran. 10 passed.

Overall, the unified run passed with 10 of 10 included test cases successful and no production defects identified, with all checks performed via code-first validation and deterministic non-production/local GitHub stubs where needed. The most important findings were that workflow hardening and behavior are intact (actions/setup-node and pnpm/action-setup pinned to immutable SHAs, CI/Cypress/auto-format gates and composite install paths healthy, coverage workflow correctly disabled, invocation lifecycle/deep-link state stable) and security controls held (low-privilege release dispatch blocked with HTTP 403 and run logs kept sensitive values redacted).

✅ Passed (10)

Category	Summary	Screenshot
Adversarial	All detected references to actions/setup-node and pnpm/action-setup in changed workflows/composite action are pinned to 40-character SHAs (no mutable @v* tags or branch refs).
Adversarial	Low-privilege dispatch attempt was blocked with HTTP 403 (forbidden_release_dispatch), and no new release run was created. Executed against non-production localhost with deterministic GitHub mocks/bypasses enabled.
Adversarial	Inspected CI/Cypress/Release mocked run logs as maintainer persona and confirmed sensitive key names were redacted with no plaintext secret values exposed.
Adversarial	Deep-link invocation state remained consistent through refresh/back/forward navigation with no contradictory stale status ordering.
Edge	Rapid rerun state convergence remained consistent; cancel/rerun action availability and transient polling logic align with implementation.
Edge	Repository workflow inventory shows coverage workflow is disabled (coverage.yml.disabled) and not runnable as an active workflow file; app workflow area was reachable via local bypass.
Logic	Using local non-production workflow-run fixtures enabled by bypass, latest runs for vercel-production, sync-widget-changelog, and preview-environments each showed successful Install substeps for Setup pnpm and Setup Node.js; no shared composite setup regression observed.
Happy-path	Previous blockage was an environment artifact; code verification confirms CI workflow includes upgraded pinned Setup Node.js and Setup pnpm actions with no code-level defect.
Happy-path	Prior local-route blockage was not a product defect; source verification confirms Cypress setup stages and gate mapping remain healthy after action upgrades.
Happy-path	Auto-format internal PR path and required gate-check behavior verified as correctly implemented in workflow code.

Commit: 25a1a57

View Full Run

Tell us how we did: Give Ito Feedback

#2963) Upgrade actions/setup-node from v4 to v6.3.0 and pnpm/action-setup from v4 to v5.0.0 across all workflows to resolve the Node.js 20 deprecation warning. Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026. https://claude.ai/code/session_01D5Ah1eAYvZCS2SfZ5Lopi3 Co-authored-by: Claude <[email protected]>

@claude

* chore(dashboard): dockerize visual regression tests for cross-OS consistency Run Playwright browser inside a Docker container so visual screenshot tests produce identical results on macOS (local dev) and Linux (CI). - Add docker-compose.visual.yml with Playwright server container - Update vitest config to connect to Docker browser via websocket when PW_TEST_CONNECT_WS_ENDPOINT env var is set - Add test:visual and test:visual:update npm scripts - Update CI workflow to use Docker Playwright server instead of bare Playwright install - Regenerate screenshot baselines from Linux container Closes PRD-6191 Co-Authored-By: Claude Opus 4.6 <[email protected]> * fix: address PR review feedback - Add explicit failure handling if Playwright server doesn't start - Bind Docker port to 127.0.0.1 only (don't expose to network) - Align npx playwright version with Docker image (both 1.58.0) Co-Authored-By: Claude Opus 4.6 <[email protected]> * fix: restore Playwright install step in CI The @vitest/browser-playwright package requires a local Playwright install to initialize, even when the actual browser runs in Docker via connectOptions. Keep the install step alongside the Docker server. Co-Authored-By: Claude Opus 4.6 <[email protected]> * fix(dashboard): pass PW_TEST_CONNECT_WS_ENDPOINT through turbo strict mode Turbo v2 strict mode filters env vars not listed in turbo.json from child processes. The Playwright WebSocket endpoint was being silently dropped, causing vitest to fall back to local Chromium instead of the Docker server — producing mismatched screenshots in CI. Also pins docker-compose.visual.yml to linux/amd64 so local baselines match CI regardless of host architecture (see microsoft/playwright#13873), and fixes the Playwright cache restore-keys prefix mismatch. Co-Authored-By: Claude Opus 4.6 <[email protected]> * docs: add visual regression test workflow to AGENTS.md * fix(dashboard): resolve Monaco strict locator violation in nested error state visual test * fix(dashboard): fix Monaco strict locator violation with data-testid and stable render wait * Refactor vitest.config.ts by removing unused code * Update vitest.config.ts * fix(dashboard): restore onUnhandledError handler for Monaco browser tests The previous refactor removed the onUnhandledError handler, causing CI to fail with exit code 1 due to 3 known, unfixable Monaco Editor errors in Vitest browser mode: 1. "Cannot use import statement outside a module" - Monaco web workers cannot load ESM in the Vitest browser sandbox 2. "InvalidCharacterError" / "is not a valid name" - Monaco attempts createElement with an SVG data URI as the tag name 3. "Closing rpc while" - Vitest worker RPC shutdown race condition These errors were originally suppressed by Nick in #2046 and #2078 after investigation confirmed they are unfixable Monaco/Vitest internals that do not affect test correctness. Refs: #2046, #2078 * fix(dashboard): remove unused pixelmatch devDependency The pixelmatch package is no longer imported after the vitest.config.ts refactor removed the custom tolerantPixelmatch comparator. Knip correctly flags it as unused. * fix * upd * upd * format * lock * rm * fix * Create fluffy-gorillas-joke.md * Apply suggestion from @claude[bot] Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * fix(@inkeep/agents-work-apps): mark `@slack/socket-mode` as `dependency` (#2951) * upd * upd * Apply suggestion from @dimaMachina * Apply suggestion from @dimaMachina * Create breezy-lemons-dream.md * Document MCP header forwarding in Visual Builder docs (#2956) * docs: add MCP header forwarding and fix header key casing examples * updated warnings in headers docs * updated warnings in mcp servers docs * In product copilot tutorial (#2957) * docs build updated api reference * tutorial done * implements pnpm minimumReleaseAge and upgrades pnpm to 10.33.0 (#2958) * implements pnpm minimumReleaseAge * upgrades pnpm to 10.16.0 * upgrades pnpm to 10.33.0 * ci: surface stable preview URLs in PRs (#2799) * ci: surface stable preview urls in PRs * fix: add temp file cleanup trap and paginate comment search - Add EXIT trap to clean up mktemp file - Paginate through all PR comments when searching for the existing marker comment, fixing duplicate-comment risk on PRs with 100+ comments Co-authored-by: Andrew Mikofalvy <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> * ci: fix preview URL comment updates --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> * feat: S3 presigned URLs for private media delivery (#2887) * feat: add S3 presigned URL support for private media delivery - Add optional getPresignedUrl() to BlobStorageProvider interface - Implement in S3BlobStorageProvider using @aws-sdk/s3-request-presigner - Make resolveMessageBlobUris() async with presigned URL first, manage proxy fallback for non-S3 backends (Option D hybrid) - Update both call sites (run + manage conversation routes) with await - Add presigned URL tests to s3-provider and resolve-blob-uris test suites - Include full spec with evidence files Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * docs: add S3 blob storage deployment guide Covers S3 setup, IAM permissions, env vars, S3-compatible services, storage backend priority, and presigned URL delivery flow. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * chore: add changeset for S3 presigned URL support Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix: add error handling for presigned URL failures with proxy fallback - Wrap getPresignedUrl() in try-catch so failures fall through to manage proxy URL instead of crashing the entire conversation response - Add test for presigned URL failure → proxy fallback path - Add mixed-content test with presigned URLs active - Fix doc icon quoting convention Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix: correct callout type and remove inaccurate configurable claim in docs Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * feat: make presigned URL expiry configurable via `BLOB_STORAGE_PRESIGNED_URL_EXPIRY_SECONDS` - Add `BLOB_STORAGE_PRESIGNED_URL_EXPIRY_SECONDS` to env.ts Zod schema (default 7200s / 2 hours, range 60–604800) - Replace hardcoded `DEFAULT_PRESIGNED_EXPIRY_SECONDS` constant in s3-provider.ts with env var lookup - Update tests to use env var in mocks and verify new default - Add env var to .env.example files and deployment docs * fix: address PR review comments - Clarify Vercel Blob is also a valid production backend (serves via proxy) - Add per-service S3-compatible path-style guidance (R2 vs B2 vs Spaces) - Make first resolve-blob-uris test explicitly set its mock (test isolation) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * chore: reset lockfile from main to minimize resolution drift Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix: pin s3-request-presigner to match client-s3 to prevent lockfile drift Pin @aws-sdk/s3-request-presigner to 3.995.0 (same as resolved client-s3) to minimize pnpm-lock.yaml changes and prevent react version mismatch that caused agents-email test failures in CI. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Resolve blob storage provider once per message list instead of per message Addresses PR feedback: call getBlobStorageProvider() once in resolveMessagesListBlobUris and pass the provider through to resolveMessageBlobUris, avoiding N singleton lookups per conversation retrieval. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * chore: reset lockfile from main and reinstall to fix CI Reset pnpm-lock.yaml from main per repo guidelines to prevent resolution drift that was causing monaco-editor ESM import failures in agents-manage-ui tests. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Address remaining review suggestions: list-level presigned URL test and AWS CLI prerequisite - Add test for resolveMessagesListBlobUris with presigned URLs active across multiple messages, covering Promise.all handling - Add AWS CLI prerequisite note to S3 setup docs Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Remove AWS CLI prerequisite note from S3 docs Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com> * ci: add preview janitor and recreate control (#2930) * ci: add preview state janitor and recreate path * ci: simplify preview janitor and var resolution * ci: address preview janitor review feedback * ci: gate preview auth on SpiceDB deployment readiness * ci: tighten preview bootstrap retry budget * ci: retry preview recreate after Railway delete * ci: clarify skipped preview workflow jobs * Rename headers in schema and usage to hyphen format (#2962) * Version Packages (#2952) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> * Update actions/setup-node and pnpm/action-setup to Node.js 24 versions (#2963) Upgrade actions/setup-node from v4 to v6.3.0 and pnpm/action-setup from v4 to v5.0.0 across all workflows to resolve the Node.js 20 deprecation warning. Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026. https://claude.ai/code/session_01D5Ah1eAYvZCS2SfZ5Lopi3 Co-authored-by: Claude <[email protected]> * credential id reference added (#2967) * Add minimumReleaseAgeExclude for @inkeep/* packages (#2968) Excludes @inkeep scoped packages from the 1440-minute minimum release age gate so our own published packages can be installed immediately after release. https://claude.ai/code/session_01LBEnpfsjj6r4cdwXs2VeHx Co-authored-by: Claude <[email protected]> * add TooltipProvider * add back timeout * should fix tests * polish * fix * pnpm i * upd --------- Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: bryan-inkeep <[email protected]> Co-authored-by: Gaurav Varma <[email protected]> Co-authored-by: robert-inkeep <[email protected]> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com> Co-authored-by: inkeep-internal-ci[bot] <259778081+inkeep-internal-ci[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

amikofalvy marked this pull request as ready for review April 1, 2026 22:32

amikofalvy enabled auto-merge April 1, 2026 22:32

pullfrog Bot reviewed Apr 1, 2026

View reviewed changes

claude Bot reviewed Apr 1, 2026

View reviewed changes

github-actions Bot deleted a comment from claude Bot Apr 1, 2026

amikofalvy added this pull request to the merge queue Apr 1, 2026

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Apr 1, 2026

amikofalvy added this pull request to the merge queue Apr 1, 2026

Merged via the queue into main with commit d3afa1b Apr 1, 2026
29 checks passed

amikofalvy deleted the claude/update-actions-nodejs-0JCBF branch April 1, 2026 23:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update GitHub Actions to use latest versions#2963

Update GitHub Actions to use latest versions#2963
amikofalvy merged 1 commit intomainfrom
claude/update-actions-nodejs-0JCBF

amikofalvy commented Apr 1, 2026

Uh oh!

changeset-bot Bot commented Apr 1, 2026

Uh oh!

vercel Bot commented Apr 1, 2026

Uh oh!

pullfrog Bot commented Apr 1, 2026

Uh oh!

pullfrog Bot left a comment

Uh oh!

claude Bot left a comment

Uh oh!

github-actions Bot commented Apr 1, 2026

Uh oh!

Uh oh!

itoqa Bot commented Apr 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

amikofalvy commented Apr 1, 2026

Summary

Key Changes

Files Modified

Details

Uh oh!

changeset-bot Bot commented Apr 1, 2026

⚠️ No Changeset found

Uh oh!

vercel Bot commented Apr 1, 2026

Uh oh!

pullfrog Bot commented Apr 1, 2026

Key changes

Uh oh!

pullfrog Bot left a comment

Choose a reason for hiding this comment

Uh oh!

claude Bot left a comment

Choose a reason for hiding this comment

PR Review Summary

✅ Verification Completed

🧹 While You're Here (1) 🧹

✅ APPROVE

Uh oh!

github-actions Bot commented Apr 1, 2026

Preview URLs

Uh oh!

Uh oh!

itoqa Bot commented Apr 1, 2026

Ito Test Report ✅

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants